Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
msedge.exe

Overview

General Information

Sample name:msedge.exe
Analysis ID:1575696
MD5:7f7a3dc4765e86e7f2c06e42fa8cd1aa
SHA1:7e53565f05406060ad0767fee6c25d88169eeb83
SHA256:b80255cba447ef8bab084763b3836776c42158673e386159df71862bf583c126
Tags:exeXWormuser-lontze7
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files to the user root directory
Drops PE files with benign system names
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Electron Application Child Processes
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • svchost.exe (PID: 7512 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7592 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7636 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 1744 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7648 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • msedge.exe (PID: 7660 cmdline: "C:\Users\user\Desktop\msedge.exe" MD5: 7F7A3DC4765E86E7F2C06E42FA8CD1AA)
    • powershell.exe (PID: 8052 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1824 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6120 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6364 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 1076 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\svchost.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 3452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 2068 cmdline: C:\Users\user\svchost.exe MD5: 7F7A3DC4765E86E7F2C06E42FA8CD1AA)
  • svchost.exe (PID: 4456 cmdline: "C:\Users\user\svchost.exe" MD5: 7F7A3DC4765E86E7F2C06E42FA8CD1AA)
  • svchost.exe (PID: 4480 cmdline: "C:\Users\user\svchost.exe" MD5: 7F7A3DC4765E86E7F2C06E42FA8CD1AA)
  • svchost.exe (PID: 6152 cmdline: C:\Users\user\svchost.exe MD5: 7F7A3DC4765E86E7F2C06E42FA8CD1AA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["127.0.0.1", "147.185.221.22"], "Port": 48990, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "msedge.exe", "Version": "XWorm V5.2"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
msedge.exeJoeSecurity_XWormYara detected XWormJoe Security
    msedge.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      msedge.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xce08:$s6: VirtualBox
      • 0xcd66:$s8: Win32_ComputerSystem
      • 0xe69e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xe73b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xe850:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xd950:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\svchost.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\svchost.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\svchost.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xce08:$s6: VirtualBox
          • 0xcd66:$s8: Win32_ComputerSystem
          • 0xe69e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xe73b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xe850:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xd950:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000005.00000000.1269049317.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000005.00000000.1269049317.0000000000BD2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xcc08:$s6: VirtualBox
            • 0xcb66:$s8: Win32_ComputerSystem
            • 0xe49e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xe53b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xe650:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xd750:$cnc4: POST / HTTP/1.1
            00000005.00000002.2521104558.0000000002E51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              Process Memory Space: msedge.exe PID: 7660JoeSecurity_XWormYara detected XWormJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                5.0.msedge.exe.bd0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  5.0.msedge.exe.bd0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    5.0.msedge.exe.bd0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xce08:$s6: VirtualBox
                    • 0xcd66:$s8: Win32_ComputerSystem
                    • 0xe69e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0xe73b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0xe850:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0xd950:$cnc4: POST / HTTP/1.1

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Files With System Process Name In Unsuspected Locations
                    Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\msedge.exe, ProcessId: 7660, TargetFilename: C:\Users\user\svchost.exe
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\msedge.exe", ParentImage: C:\Users\user\Desktop\msedge.exe, ParentProcessId: 7660, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', ProcessId: 8052, ProcessName: powershell.exe
                    Sigma detected: Suspect Svchost Activity
                    Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: C:\Users\user\svchost.exe, CommandLine: C:\Users\user\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\svchost.exe, NewProcessName: C:\Users\user\svchost.exe, OriginalFileName: C:\Users\user\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1040, ProcessCommandLine: C:\Users\user\svchost.exe, ProcessId: 2068, ProcessName: svchost.exe
                    Sigma detected: System File Execution Location Anomaly
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\user\svchost.exe, CommandLine: C:\Users\user\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\svchost.exe, NewProcessName: C:\Users\user\svchost.exe, OriginalFileName: C:\Users\user\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1040, ProcessCommandLine: C:\Users\user\svchost.exe, ProcessId: 2068, ProcessName: svchost.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\msedge.exe", ParentImage: C:\Users\user\Desktop\msedge.exe, ParentProcessId: 7660, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', ProcessId: 8052, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\msedge.exe, ProcessId: 7660, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\msedge.exe", ParentImage: C:\Users\user\Desktop\msedge.exe, ParentProcessId: 7660, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', ProcessId: 8052, ProcessName: powershell.exe
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\msedge.exe, ProcessId: 7660, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk
                    Sigma detected: Suspicious Electron Application Child Processes
                    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\msedge.exe", ParentImage: C:\Users\user\Desktop\msedge.exe, ParentProcessId: 7660, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', ProcessId: 8052, ProcessName: powershell.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\msedge.exe", ParentImage: C:\Users\user\Desktop\msedge.exe, ParentProcessId: 7660, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe', ProcessId: 8052, ProcessName: powershell.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 7512, ProcessName: svchost.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Schedule system process
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\msedge.exe", ParentImage: C:\Users\user\Desktop\msedge.exe, ParentProcessId: 7660, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\svchost.exe", ProcessId: 1076, ProcessName: schtasks.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-16T08:39:36.707766+010028559241Malware Command and Control Activity Detected192.168.2.1049855147.185.221.2248990TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: msedge.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\svchost.exeAvira: detection malicious, Label: TR/Spy.Gen
                    Found malware configuration
                    Source: msedge.exeMalware Configuration Extractor: Xworm {"C2 url": ["127.0.0.1", "147.185.221.22"], "Port": 48990, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "msedge.exe", "Version": "XWorm V5.2"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\svchost.exeReversingLabs: Detection: 81%
                    Multi AV Scanner detection for submitted file
                    Source: msedge.exeVirustotal: Detection: 66%Perma Link
                    Source: msedge.exeReversingLabs: Detection: 81%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\svchost.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: msedge.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: msedge.exeString decryptor: 127.0.0.1,147.185.221.22
                    Source: msedge.exeString decryptor: 48990
                    Source: msedge.exeString decryptor: <123456789>
                    Source: msedge.exeString decryptor: <Xwormmm>
                    Source: msedge.exeString decryptor: XWorm V5.2
                    Source: msedge.exeString decryptor: msedge.exe
                    Source: msedge.exeString decryptor: %Userprofile%
                    Source: msedge.exeString decryptor: svchost.exe
                    Source: msedge.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: msedge.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.10:49855 -> 147.185.221.22:48990
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 127.0.0.1
                    Source: Malware configuration extractorURLs: 147.185.221.22
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: msedge.exe, type: SAMPLE
                    Source: Yara matchFile source: 5.0.msedge.exe.bd0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: C:\Users\user\svchost.exe, type: DROPPED
                    Source: global trafficTCP traffic: 192.168.2.10:49855 -> 147.185.221.22:48990
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: powershell.exe, 0000000F.00000002.1828253891.000001CFE861B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1831242979.000001CFE8862000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                    Source: powershell.exe, 0000000F.00000002.1828253891.000001CFE861B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                    Source: powershell.exe, 0000000D.00000002.1618313381.000002A55B86E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                    Source: powershell.exe, 0000000F.00000002.1826733134.000001CFE8591000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csoft.com/pki/crls/MicRooCerAut_23.crl0Z
                    Source: msedge.exe, svchost.exe.5.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: powershell.exe, 00000007.00000002.1370424682.00000231762B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1460006961.0000028E348A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1597184151.000002A5531A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1805287292.000001CFE027F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 0000000F.00000002.1657599062.000001CFD043C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000007.00000002.1351920696.0000023166468000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1406643949.0000028E24A59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1508684817.000002A543359000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1657599062.000001CFD043C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: msedge.exe, 00000005.00000002.2521104558.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1351920696.0000023166241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1406643949.0000028E24831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1508684817.000002A543131000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1657599062.000001CFD0211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000007.00000002.1351920696.0000023166468000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1406643949.0000028E24A59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1508684817.000002A543359000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1657599062.000001CFD043C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 0000000F.00000002.1657599062.000001CFD043C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: svchost.exe, 00000000.00000002.1364153497.000001739F213000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
                    Source: powershell.exe, 0000000D.00000002.1618313381.000002A55B86E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1831242979.000001CFE8862000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                    Source: powershell.exe, 0000000A.00000002.1475962362.0000028E3CEB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coF
                    Source: powershell.exe, 00000007.00000002.1351920696.0000023166241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1406643949.0000028E24831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1508684817.000002A543131000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1657599062.000001CFD0211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: svchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                    Source: powershell.exe, 0000000F.00000002.1805287292.000001CFE027F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000000F.00000002.1805287292.000001CFE027F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000000F.00000002.1805287292.000001CFE027F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: svchost.exe, 00000000.00000002.1364342754.000001739F259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
                    Source: svchost.exe, 00000000.00000002.1364567404.000001739F270000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363152065.000001739F262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363218233.000001739F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363055956.000001739F26D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363430493.000001739F25A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364436387.000001739F263000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                    Source: svchost.exe, 00000000.00000002.1364567404.000001739F270000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363055956.000001739F26D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                    Source: svchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                    Source: svchost.exe, 00000000.00000002.1364486849.000001739F268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363103157.000001739F267000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                    Source: svchost.exe, 00000000.00000002.1364567404.000001739F270000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363055956.000001739F26D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                    Source: svchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                    Source: svchost.exe, 00000000.00000003.1363152065.000001739F262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364249736.000001739F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363430493.000001739F25A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364436387.000001739F263000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                    Source: svchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                    Source: svchost.exe, 00000000.00000002.1364179834.000001739F22B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364486849.000001739F268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363103157.000001739F267000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                    Source: svchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                    Source: svchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                    Source: svchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                    Source: svchost.exe, 00000000.00000003.1363152065.000001739F262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364249736.000001739F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364436387.000001739F263000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                    Source: svchost.exe, 00000000.00000003.1363474639.000001739F241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364274981.000001739F242000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                    Source: svchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                    Source: svchost.exe, 00000000.00000003.1363152065.000001739F262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364436387.000001739F263000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                    Source: svchost.exe, 00000000.00000003.1363517726.000001739F230000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363152065.000001739F262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364211322.000001739F234000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364436387.000001739F263000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                    Source: svchost.exe, 00000000.00000002.1364274981.000001739F242000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                    Source: svchost.exe, 00000000.00000003.1363152065.000001739F262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364436387.000001739F263000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                    Source: svchost.exe, 00000000.00000003.1363474639.000001739F241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364274981.000001739F242000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363218233.000001739F25F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
                    Source: svchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364436387.000001739F263000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
                    Source: svchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                    Source: svchost.exe, 00000000.00000002.1364179834.000001739F22B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364486849.000001739F268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363103157.000001739F267000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                    Source: powershell.exe, 0000000F.00000002.1657599062.000001CFD043C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 0000000F.00000002.1828253891.000001CFE85E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
                    Source: powershell.exe, 00000007.00000002.1370424682.00000231762B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1460006961.0000028E348A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1597184151.000002A5531A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1805287292.000001CFE027F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: svchost.exe, 00000000.00000003.1363474639.000001739F241000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                    Source: svchost.exe, 00000000.00000003.1363452301.000001739F24A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                    Source: svchost.exe, 00000000.00000003.1363452301.000001739F24A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364342754.000001739F259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                    Source: svchost.exe, 00000000.00000002.1364179834.000001739F22B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                    Source: svchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                    Source: svchost.exe, 00000000.00000002.1364342754.000001739F259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: msedge.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 5.0.msedge.exe.bd0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000005.00000000.1269049317.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\svchost.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\Desktop\msedge.exeCode function: 5_2_00007FF7C14272425_2_00007FF7C1427242
                    Source: C:\Users\user\Desktop\msedge.exeCode function: 5_2_00007FF7C14216E95_2_00007FF7C14216E9
                    Source: C:\Users\user\Desktop\msedge.exeCode function: 5_2_00007FF7C14260965_2_00007FF7C1426096
                    Source: C:\Users\user\Desktop\msedge.exeCode function: 5_2_00007FF7C14298B95_2_00007FF7C14298B9
                    Source: C:\Users\user\Desktop\msedge.exeCode function: 5_2_00007FF7C14223615_2_00007FF7C1422361
                    Source: C:\Users\user\Desktop\msedge.exeCode function: 5_2_00007FF7C14299625_2_00007FF7C1429962
                    Source: C:\Users\user\Desktop\msedge.exeCode function: 5_2_00007FF7C14220C55_2_00007FF7C14220C5
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF7C14516FA10_2_00007FF7C14516FA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF7C14516BF10_2_00007FF7C14516BF
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF7C1440B9A13_2_00007FF7C1440B9A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF7C15130E913_2_00007FF7C15130E9
                    Source: C:\Users\user\svchost.exeCode function: 21_2_00007FF7C14416E921_2_00007FF7C14416E9
                    Source: C:\Users\user\svchost.exeCode function: 21_2_00007FF7C1440E5E21_2_00007FF7C1440E5E
                    Source: C:\Users\user\svchost.exeCode function: 21_2_00007FF7C14420C521_2_00007FF7C14420C5
                    Source: C:\Users\user\svchost.exeCode function: 22_2_00007FF7C14416E922_2_00007FF7C14416E9
                    Source: C:\Users\user\svchost.exeCode function: 22_2_00007FF7C1440E5E22_2_00007FF7C1440E5E
                    Source: C:\Users\user\svchost.exeCode function: 22_2_00007FF7C14420C522_2_00007FF7C14420C5
                    Source: C:\Users\user\svchost.exeCode function: 23_2_00007FF7C14416E923_2_00007FF7C14416E9
                    Source: C:\Users\user\svchost.exeCode function: 23_2_00007FF7C1440E5E23_2_00007FF7C1440E5E
                    Source: C:\Users\user\svchost.exeCode function: 23_2_00007FF7C14420C523_2_00007FF7C14420C5
                    Source: C:\Users\user\svchost.exeCode function: 24_2_00007FF7C14516E924_2_00007FF7C14516E9
                    Source: C:\Users\user\svchost.exeCode function: 24_2_00007FF7C1450E5E24_2_00007FF7C1450E5E
                    Source: C:\Users\user\svchost.exeCode function: 24_2_00007FF7C14520C524_2_00007FF7C14520C5
                    Source: msedge.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: msedge.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 5.0.msedge.exe.bd0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000005.00000000.1269049317.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\svchost.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: msedge.exe, ClJBeJgoGyL7dyCG1tGoCNtGXgH.csCryptographic APIs: 'TransformFinalBlock'
                    Source: msedge.exe, ROA04jlzBM5tKsXGLvJTAJyil1l.csCryptographic APIs: 'TransformFinalBlock'
                    Source: msedge.exe, ROA04jlzBM5tKsXGLvJTAJyil1l.csCryptographic APIs: 'TransformFinalBlock'
                    Source: svchost.exe.5.dr, ClJBeJgoGyL7dyCG1tGoCNtGXgH.csCryptographic APIs: 'TransformFinalBlock'
                    Source: svchost.exe.5.dr, ROA04jlzBM5tKsXGLvJTAJyil1l.csCryptographic APIs: 'TransformFinalBlock'
                    Source: svchost.exe.5.dr, ROA04jlzBM5tKsXGLvJTAJyil1l.csCryptographic APIs: 'TransformFinalBlock'
                    Source: svchost.exe.5.dr, ZZNxplC1qoBkE06OZjlXPL4HB8I.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: svchost.exe.5.dr, ZZNxplC1qoBkE06OZjlXPL4HB8I.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: msedge.exe, ZZNxplC1qoBkE06OZjlXPL4HB8I.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: msedge.exe, ZZNxplC1qoBkE06OZjlXPL4HB8I.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@27/22@1/3
                    Source: C:\Users\user\Desktop\msedge.exeFile created: C:\Users\user\svchost.exeJump to behavior
                    Source: C:\Users\user\svchost.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3452:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3588:120:WilError_03
                    Source: C:\Users\user\Desktop\msedge.exeMutant created: \Sessions\1\BaseNamedObjects\Ak6vViazXPFQ1Vjt
                    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1784:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8060:120:WilError_03
                    Source: C:\Users\user\Desktop\msedge.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                    Source: msedge.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: msedge.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\msedge.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: msedge.exeVirustotal: Detection: 66%
                    Source: msedge.exeReversingLabs: Detection: 81%
                    Source: C:\Users\user\Desktop\msedge.exeFile read: C:\Users\user\Desktop\msedge.exeJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                    Source: unknownProcess created: C:\Users\user\Desktop\msedge.exe "C:\Users\user\Desktop\msedge.exe"
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\svchost.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\svchost.exe"
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\svchost.exe C:\Users\user\svchost.exe
                    Source: unknownProcess created: C:\Users\user\svchost.exe "C:\Users\user\svchost.exe"
                    Source: unknownProcess created: C:\Users\user\svchost.exe "C:\Users\user\svchost.exe"
                    Source: unknownProcess created: C:\Users\user\svchost.exe C:\Users\user\svchost.exe
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\svchost.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\svchost.exe"Jump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsusererclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dll
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dll
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dll
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dll
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dll
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dll
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dll
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dll
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dll
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dll
                    Source: C:\Users\user\svchost.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\svchost.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\svchost.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\svchost.exeSection loaded: version.dll
                    Source: C:\Users\user\svchost.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\svchost.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\svchost.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\svchost.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\svchost.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\svchost.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\svchost.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\svchost.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\svchost.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\svchost.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\svchost.exeSection loaded: version.dll
                    Source: C:\Users\user\svchost.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\svchost.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\svchost.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\svchost.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\svchost.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\svchost.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\svchost.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\svchost.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\svchost.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\svchost.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\svchost.exeSection loaded: version.dll
                    Source: C:\Users\user\svchost.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\svchost.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\svchost.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\svchost.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\svchost.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\svchost.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\svchost.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\svchost.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\svchost.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\svchost.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\svchost.exeSection loaded: version.dll
                    Source: C:\Users\user\svchost.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\svchost.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\svchost.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\svchost.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\svchost.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\svchost.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\svchost.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\msedge.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: svchost.lnk.5.drLNK file: ..\..\..\..\..\..\..\svchost.exe
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: msedge.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: msedge.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: msedge.exe, XnmK7TyB4ULaUmsdYqe3JSJefLb.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{hwqyfpSSGO11cz682VhGb0NXNRmYBUQWCs267fJGztrGSRNdvjQtUjdXFppz5cjcEZdWiarpzxdkQm3NHH7B.A7rxcNvqzU76uFlG0QX7sv14wvOlXhMYghaGkMhZAqHk8yZqG8xIYnzSuAKMsSgrVyWGcjmILOsvgaZ0mvPU,hwqyfpSSGO11cz682VhGb0NXNRmYBUQWCs267fJGztrGSRNdvjQtUjdXFppz5cjcEZdWiarpzxdkQm3NHH7B.xJXPod4bAp14DCH243p0UfQGgLeKd2NCVPvRqY3EiTfQgHrP9D86Iw4amLoWtLqjFWiMi0WoClrGVGH6LpEc,hwqyfpSSGO11cz682VhGb0NXNRmYBUQWCs267fJGztrGSRNdvjQtUjdXFppz5cjcEZdWiarpzxdkQm3NHH7B.igr83DERlenUBPoQrBNkeZMGDeUihhqQIlliyPim9BHg9az4LU71Z6ssLRPLoXnrlpzJaaqnCFoKBrzEmRz5,hwqyfpSSGO11cz682VhGb0NXNRmYBUQWCs267fJGztrGSRNdvjQtUjdXFppz5cjcEZdWiarpzxdkQm3NHH7B.Biwi8kPODcmLWRKjYpUaiLyoQga1ODPh0mcSkXjJ03k1NA0Pci3N3b6rwHUXQWcFSoQK3hl64MqzjIljFTEo,ROA04jlzBM5tKsXGLvJTAJyil1l._5BzFHN1bOYwg()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: msedge.exe, XnmK7TyB4ULaUmsdYqe3JSJefLb.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{hpTbHAHQpRWLhS0GFTIY2sRTKcK[2],ROA04jlzBM5tKsXGLvJTAJyil1l.aLCz44VbHdFV(Convert.FromBase64String(hpTbHAHQpRWLhS0GFTIY2sRTKcK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: msedge.exe, XnmK7TyB4ULaUmsdYqe3JSJefLb.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { hpTbHAHQpRWLhS0GFTIY2sRTKcK[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: svchost.exe.5.dr, XnmK7TyB4ULaUmsdYqe3JSJefLb.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{hwqyfpSSGO11cz682VhGb0NXNRmYBUQWCs267fJGztrGSRNdvjQtUjdXFppz5cjcEZdWiarpzxdkQm3NHH7B.A7rxcNvqzU76uFlG0QX7sv14wvOlXhMYghaGkMhZAqHk8yZqG8xIYnzSuAKMsSgrVyWGcjmILOsvgaZ0mvPU,hwqyfpSSGO11cz682VhGb0NXNRmYBUQWCs267fJGztrGSRNdvjQtUjdXFppz5cjcEZdWiarpzxdkQm3NHH7B.xJXPod4bAp14DCH243p0UfQGgLeKd2NCVPvRqY3EiTfQgHrP9D86Iw4amLoWtLqjFWiMi0WoClrGVGH6LpEc,hwqyfpSSGO11cz682VhGb0NXNRmYBUQWCs267fJGztrGSRNdvjQtUjdXFppz5cjcEZdWiarpzxdkQm3NHH7B.igr83DERlenUBPoQrBNkeZMGDeUihhqQIlliyPim9BHg9az4LU71Z6ssLRPLoXnrlpzJaaqnCFoKBrzEmRz5,hwqyfpSSGO11cz682VhGb0NXNRmYBUQWCs267fJGztrGSRNdvjQtUjdXFppz5cjcEZdWiarpzxdkQm3NHH7B.Biwi8kPODcmLWRKjYpUaiLyoQga1ODPh0mcSkXjJ03k1NA0Pci3N3b6rwHUXQWcFSoQK3hl64MqzjIljFTEo,ROA04jlzBM5tKsXGLvJTAJyil1l._5BzFHN1bOYwg()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: svchost.exe.5.dr, XnmK7TyB4ULaUmsdYqe3JSJefLb.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{hpTbHAHQpRWLhS0GFTIY2sRTKcK[2],ROA04jlzBM5tKsXGLvJTAJyil1l.aLCz44VbHdFV(Convert.FromBase64String(hpTbHAHQpRWLhS0GFTIY2sRTKcK[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: svchost.exe.5.dr, XnmK7TyB4ULaUmsdYqe3JSJefLb.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { hpTbHAHQpRWLhS0GFTIY2sRTKcK[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                    .NET source code contains potential unpacker
                    Source: msedge.exe, XnmK7TyB4ULaUmsdYqe3JSJefLb.cs.Net Code: Xj3opHGJtX6mqfLbQ586SenJxaZ System.AppDomain.Load(byte[])
                    Source: msedge.exe, XnmK7TyB4ULaUmsdYqe3JSJefLb.cs.Net Code: _7JwanAlayP956S1YfhJ276EA0zo System.AppDomain.Load(byte[])
                    Source: msedge.exe, XnmK7TyB4ULaUmsdYqe3JSJefLb.cs.Net Code: _7JwanAlayP956S1YfhJ276EA0zo
                    Source: svchost.exe.5.dr, XnmK7TyB4ULaUmsdYqe3JSJefLb.cs.Net Code: Xj3opHGJtX6mqfLbQ586SenJxaZ System.AppDomain.Load(byte[])
                    Source: svchost.exe.5.dr, XnmK7TyB4ULaUmsdYqe3JSJefLb.cs.Net Code: _7JwanAlayP956S1YfhJ276EA0zo System.AppDomain.Load(byte[])
                    Source: svchost.exe.5.dr, XnmK7TyB4ULaUmsdYqe3JSJefLb.cs.Net Code: _7JwanAlayP956S1YfhJ276EA0zo
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF7C130D2A5 pushad ; iretd 7_2_00007FF7C130D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF7C14F2316 push 8B485F94h; iretd 7_2_00007FF7C14F231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF7C133D2A5 pushad ; iretd 10_2_00007FF7C133D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF7C1522316 push 8B485F91h; iretd 10_2_00007FF7C152231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF7C132D2A5 pushad ; iretd 13_2_00007FF7C132D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF7C14423CA pushad ; retf 13_2_00007FF7C14423F1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF7C1512316 push 8B485F92h; iretd 13_2_00007FF7C151231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FF7C131D2A5 pushad ; iretd 15_2_00007FF7C131D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FF7C1502316 push 8B485F93h; iretd 15_2_00007FF7C150231B
                    Source: msedge.exe, EeQUS4ZjOwK8.csHigh entropy of concatenated method names: 'BEkOaRtXwYDY', 'tDzCu0e3WEeg', 'yWjdtddv0Xt3', 'ZTiMgxMlOK4Lls1hsUowl1g0eweTgxFCbycIwHAnX7Ey', 'ONfNjFQJBDeGmgXRwkWa6ISIoMqeT0vUM0IOWpWWUZDI', 'HZzYpGvZJhu2Jx1H36pw79vtUHFKdMuCsDNf4yAIwPBh', 'J0aBMbydH5L2lFO4r2CVeEPLFS7YAPNOEC04xJ3SSPGa', '_7JNbl6RrSq9U9fMK44hb1KA6HABiU3z1G199Iqje5XhE', 'fNe92bntrXZpqNND6g0P0dS8S3LOwnd4vlWE5vkZ0orm', 'dVdRR7Yc2BU7DAfu9fZahc785QoqnA3ibgYVieknaN4m'
                    Source: msedge.exe, HHw18Y9Q6kPO0fCxeuqmQLvk5wM.csHigh entropy of concatenated method names: 'Rz88CbkofRQSBlyUC2iSliDhzix', '_6VKrYeWuAGtKHz7vQGavDdUklOa', 'Czh46wiJObgYalUh7JZ8pqfi2nO', 'xBJ7ZrpMQiQ95cjdmlyUD2gfFxW', '_7VJ7k6KusCxoT3Lj3YfbqI4V2FVhCX3D00w1JZslBJB5', 'dHSDz1EDoKJQTDIGRkv5tELH1tmh8GlJK13PtNuvFMOO', 'FvIatD9gOVEvxXCsAGt4WTmxwOPmyDJbV4Kt1qWcEle5', 'EcfGCP3xujMl12PjRQYQcNw3CjptLBl0MJPbs0SM6H8f', 'BOAJOynD5C0tNXgWTXUhpznZI2LnEJ9oAlhC3bTorKlb', 'Ul61095usfdRaII4gDKky7HT3A4XKhVRhN7OABsy0GQL'
                    Source: msedge.exe, XnmK7TyB4ULaUmsdYqe3JSJefLb.csHigh entropy of concatenated method names: 'cSiGfWwQNKnjOY34tKXgE9CdAE3', 'Xj3opHGJtX6mqfLbQ586SenJxaZ', 'cnOubgzclEqejbLc9zmYNOt5OkT', 'FUF8qpkoSVF3UCJEDEkKb1LBgGY', 'i6Aeix5fctsgkC2dvBJei1bI2ul', 'c9AIGBX1AxuA4mlVEgiBJhyTgpn', '_2fRCJVxcm6sOY1cNxijk1vzTcEU', 'oTnJsR89Q4iN8040AejMEnoqLyQ', 'CyCPDO1EFSfAJRUwCuy6P06tYZg', '_8hxjX34H28UADAFriPO5UzZoS7f'
                    Source: msedge.exe, ClJBeJgoGyL7dyCG1tGoCNtGXgH.csHigh entropy of concatenated method names: 'N78pFddM6NIVyz3JSp6J4bHx74u', 'qRjFdfK5dDd54NRJvSZV32k8JzUtG9IxsyFzbjBX23Em', 'WgeA21AiTNWaidCz24LXopuhs3L2KeroqEEyUK2tNCoh', 'aF1lzQkptwsRuOFlD0jkn0AcZaAien9QbhJYFoaJlMz5', '_8yVvdn1Pqw8JVd8GMAcdFV5pJnfwkLV6EsHvf3GaIfzg'
                    Source: msedge.exe, b0X4vCrudtRDlq5oasaucurybIH.csHigh entropy of concatenated method names: '_5MRa2DKH5oLGYs7eIWtLSWxABKT', 'XjwDblLKgW0B4Mi2yQdORsxc0ZE', 'ZNZHHwzVEhlP10ZDI7qQrPN48uj', 'Xz7OspQ07ocAFvaP90RdFqF9nzS', 'tkwVP9MZr22Isefb6cEkBcnwi21', 'hAiFidL3GkMG3zILcfq86pYxLQP', 'C8VLSibC7eKcUcB9yZJJjvcGztJ', 'KTfVXS5a0iPo5BVsrkT9COQFTJZ', '_50NFTpIDr0hh53bJiyUwJGhqV9H', 'eTkKHDryr4hHrmDuzKIBr16N3rg'
                    Source: msedge.exe, ROA04jlzBM5tKsXGLvJTAJyil1l.csHigh entropy of concatenated method names: 'JBDiJuEXe9QsmvzJk8ScH0f5GgY', 'plp620fhufeQfL5N9zH3PDZb765', 'CrZhwbkUD83sVxWasDoh1KJaiyv', 'wUfl8yXjJawyl5kKeXxU2FHDM1Q', '_15fUzTuD1EZQSfmrXKFnnWfT2eA', '_8anHNbdhLOfc26EQw9gADUcgL50', 'uuCcqSGTX8qx8D0qBd0rPlbVcv6', 'W30LOSCbiJ3AMtyTQ8xHgK38hUF', 'VbJHXY2YKsJv', 'WXV6JAY37cNk'
                    Source: msedge.exe, gzCwMnB1Mu30pKXB3j1D7uPRP3H.csHigh entropy of concatenated method names: 'FtHf2xHP2xG9qCTBNgYIUVRmws0', 'QRwWk5OwKrIHMS1ZUGoHpSPZmAg', 'whNeIb8GHT3pILpOG2cVCaenrOw', 'TQSx9TyMQ9dc', 'Kw3HY9cFYlV7', 'rozwsUfXd4ag', 'qtVRxjQl1dd6', 'nG6Pg37nPvvI', 'axPdWkFHdYz1', 'WK2vckwK45kX'
                    Source: msedge.exe, ZZNxplC1qoBkE06OZjlXPL4HB8I.csHigh entropy of concatenated method names: 'a8AezXGpqBTmSqdCX92rtuPTqRQ', 'BIAhlyqnN2p24co7wcyeg82e223', 'H6CGD5TGA83LFuaO1nSGIwvxRvq', '_7lyW1YCnn0azLICSBrO6Lb2IhV8', 'k04YZwSUFoX8JOOkhkkbBVsDxEJ', '_8aHQ6lvBqt8RI6uwwtMDL1cltlI', 'SXUdsAx26h9lNaL5wSHU4w2Ivem', 'p8YdtqDwG8iW8w6pz5uq88zQpzp', 'AXCzqFlLL64IOxbZWT43ofISiaI', '_4YG9pO0zdpNcrMUrWrIyiEAU9h3'
                    Source: msedge.exe, 1vbQAVZMTGMSDF0Q0oxAMKV7Uq1.csHigh entropy of concatenated method names: 'G1jxZ7SH5cUdkvW7I0suKxBbNdG', 'OcIxKgMgr48Kmsvkk8PikIhkrIv', 'Pny8WNtFTxKNEr9BaBte120KX9N', 'zPI6gQNFIAIDZ6h1ovUpS9TeiQH', '_3f5Bod7qXH5p6Z811rP8PPNtwMe', 'XDSCUKrTaDmVyppJoCSU9EELTN5', 'gArXXeQWvt22HTZY5X4WUgjwhTw', 'dkGI4rJni9vUzNveEUwJPVDbEJI', 'UycfknZ3J7tpf7xofg1CmTzlgwU', 'QNe6th0bEs4shaRq4E9BxAEtknv'
                    Source: svchost.exe.5.dr, EeQUS4ZjOwK8.csHigh entropy of concatenated method names: 'BEkOaRtXwYDY', 'tDzCu0e3WEeg', 'yWjdtddv0Xt3', 'ZTiMgxMlOK4Lls1hsUowl1g0eweTgxFCbycIwHAnX7Ey', 'ONfNjFQJBDeGmgXRwkWa6ISIoMqeT0vUM0IOWpWWUZDI', 'HZzYpGvZJhu2Jx1H36pw79vtUHFKdMuCsDNf4yAIwPBh', 'J0aBMbydH5L2lFO4r2CVeEPLFS7YAPNOEC04xJ3SSPGa', '_7JNbl6RrSq9U9fMK44hb1KA6HABiU3z1G199Iqje5XhE', 'fNe92bntrXZpqNND6g0P0dS8S3LOwnd4vlWE5vkZ0orm', 'dVdRR7Yc2BU7DAfu9fZahc785QoqnA3ibgYVieknaN4m'
                    Source: svchost.exe.5.dr, HHw18Y9Q6kPO0fCxeuqmQLvk5wM.csHigh entropy of concatenated method names: 'Rz88CbkofRQSBlyUC2iSliDhzix', '_6VKrYeWuAGtKHz7vQGavDdUklOa', 'Czh46wiJObgYalUh7JZ8pqfi2nO', 'xBJ7ZrpMQiQ95cjdmlyUD2gfFxW', '_7VJ7k6KusCxoT3Lj3YfbqI4V2FVhCX3D00w1JZslBJB5', 'dHSDz1EDoKJQTDIGRkv5tELH1tmh8GlJK13PtNuvFMOO', 'FvIatD9gOVEvxXCsAGt4WTmxwOPmyDJbV4Kt1qWcEle5', 'EcfGCP3xujMl12PjRQYQcNw3CjptLBl0MJPbs0SM6H8f', 'BOAJOynD5C0tNXgWTXUhpznZI2LnEJ9oAlhC3bTorKlb', 'Ul61095usfdRaII4gDKky7HT3A4XKhVRhN7OABsy0GQL'
                    Source: svchost.exe.5.dr, XnmK7TyB4ULaUmsdYqe3JSJefLb.csHigh entropy of concatenated method names: 'cSiGfWwQNKnjOY34tKXgE9CdAE3', 'Xj3opHGJtX6mqfLbQ586SenJxaZ', 'cnOubgzclEqejbLc9zmYNOt5OkT', 'FUF8qpkoSVF3UCJEDEkKb1LBgGY', 'i6Aeix5fctsgkC2dvBJei1bI2ul', 'c9AIGBX1AxuA4mlVEgiBJhyTgpn', '_2fRCJVxcm6sOY1cNxijk1vzTcEU', 'oTnJsR89Q4iN8040AejMEnoqLyQ', 'CyCPDO1EFSfAJRUwCuy6P06tYZg', '_8hxjX34H28UADAFriPO5UzZoS7f'
                    Source: svchost.exe.5.dr, ClJBeJgoGyL7dyCG1tGoCNtGXgH.csHigh entropy of concatenated method names: 'N78pFddM6NIVyz3JSp6J4bHx74u', 'qRjFdfK5dDd54NRJvSZV32k8JzUtG9IxsyFzbjBX23Em', 'WgeA21AiTNWaidCz24LXopuhs3L2KeroqEEyUK2tNCoh', 'aF1lzQkptwsRuOFlD0jkn0AcZaAien9QbhJYFoaJlMz5', '_8yVvdn1Pqw8JVd8GMAcdFV5pJnfwkLV6EsHvf3GaIfzg'
                    Source: svchost.exe.5.dr, b0X4vCrudtRDlq5oasaucurybIH.csHigh entropy of concatenated method names: '_5MRa2DKH5oLGYs7eIWtLSWxABKT', 'XjwDblLKgW0B4Mi2yQdORsxc0ZE', 'ZNZHHwzVEhlP10ZDI7qQrPN48uj', 'Xz7OspQ07ocAFvaP90RdFqF9nzS', 'tkwVP9MZr22Isefb6cEkBcnwi21', 'hAiFidL3GkMG3zILcfq86pYxLQP', 'C8VLSibC7eKcUcB9yZJJjvcGztJ', 'KTfVXS5a0iPo5BVsrkT9COQFTJZ', '_50NFTpIDr0hh53bJiyUwJGhqV9H', 'eTkKHDryr4hHrmDuzKIBr16N3rg'
                    Source: svchost.exe.5.dr, ROA04jlzBM5tKsXGLvJTAJyil1l.csHigh entropy of concatenated method names: 'JBDiJuEXe9QsmvzJk8ScH0f5GgY', 'plp620fhufeQfL5N9zH3PDZb765', 'CrZhwbkUD83sVxWasDoh1KJaiyv', 'wUfl8yXjJawyl5kKeXxU2FHDM1Q', '_15fUzTuD1EZQSfmrXKFnnWfT2eA', '_8anHNbdhLOfc26EQw9gADUcgL50', 'uuCcqSGTX8qx8D0qBd0rPlbVcv6', 'W30LOSCbiJ3AMtyTQ8xHgK38hUF', 'VbJHXY2YKsJv', 'WXV6JAY37cNk'
                    Source: svchost.exe.5.dr, gzCwMnB1Mu30pKXB3j1D7uPRP3H.csHigh entropy of concatenated method names: 'FtHf2xHP2xG9qCTBNgYIUVRmws0', 'QRwWk5OwKrIHMS1ZUGoHpSPZmAg', 'whNeIb8GHT3pILpOG2cVCaenrOw', 'TQSx9TyMQ9dc', 'Kw3HY9cFYlV7', 'rozwsUfXd4ag', 'qtVRxjQl1dd6', 'nG6Pg37nPvvI', 'axPdWkFHdYz1', 'WK2vckwK45kX'
                    Source: svchost.exe.5.dr, ZZNxplC1qoBkE06OZjlXPL4HB8I.csHigh entropy of concatenated method names: 'a8AezXGpqBTmSqdCX92rtuPTqRQ', 'BIAhlyqnN2p24co7wcyeg82e223', 'H6CGD5TGA83LFuaO1nSGIwvxRvq', '_7lyW1YCnn0azLICSBrO6Lb2IhV8', 'k04YZwSUFoX8JOOkhkkbBVsDxEJ', '_8aHQ6lvBqt8RI6uwwtMDL1cltlI', 'SXUdsAx26h9lNaL5wSHU4w2Ivem', 'p8YdtqDwG8iW8w6pz5uq88zQpzp', 'AXCzqFlLL64IOxbZWT43ofISiaI', '_4YG9pO0zdpNcrMUrWrIyiEAU9h3'
                    Source: svchost.exe.5.dr, 1vbQAVZMTGMSDF0Q0oxAMKV7Uq1.csHigh entropy of concatenated method names: 'G1jxZ7SH5cUdkvW7I0suKxBbNdG', 'OcIxKgMgr48Kmsvkk8PikIhkrIv', 'Pny8WNtFTxKNEr9BaBte120KX9N', 'zPI6gQNFIAIDZ6h1ovUpS9TeiQH', '_3f5Bod7qXH5p6Z811rP8PPNtwMe', 'XDSCUKrTaDmVyppJoCSU9EELTN5', 'gArXXeQWvt22HTZY5X4WUgjwhTw', 'dkGI4rJni9vUzNveEUwJPVDbEJI', 'UycfknZ3J7tpf7xofg1CmTzlgwU', 'QNe6th0bEs4shaRq4E9BxAEtknv'

                    Persistence and Installation Behavior

                    barindex
                    Drops PE files with benign system names
                    Source: C:\Users\user\Desktop\msedge.exeFile created: C:\Users\user\svchost.exeJump to dropped file
                    Source: C:\Users\user\Desktop\msedge.exeFile created: C:\Users\user\svchost.exeJump to dropped file
                    Source: C:\Users\user\Desktop\msedge.exeFile created: C:\Users\user\svchost.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops PE files to the user root directory
                    Source: C:\Users\user\Desktop\msedge.exeFile created: C:\Users\user\svchost.exeJump to dropped file
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\svchost.exe"
                    Source: C:\Users\user\Desktop\msedge.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\svchost.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\msedge.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\msedge.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\msedge.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: msedge.exe, svchost.exe.5.drBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\msedge.exeMemory allocated: 2CD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeMemory allocated: 1AE50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\svchost.exeMemory allocated: 1110000 memory reserve | memory write watch
                    Source: C:\Users\user\svchost.exeMemory allocated: 1ADA0000 memory reserve | memory write watch
                    Source: C:\Users\user\svchost.exeMemory allocated: BF0000 memory reserve | memory write watch
                    Source: C:\Users\user\svchost.exeMemory allocated: 1AAA0000 memory reserve | memory write watch
                    Source: C:\Users\user\svchost.exeMemory allocated: 1370000 memory reserve | memory write watch
                    Source: C:\Users\user\svchost.exeMemory allocated: 1AEA0000 memory reserve | memory write watch
                    Source: C:\Users\user\svchost.exeMemory allocated: 11F0000 memory reserve | memory write watch
                    Source: C:\Users\user\svchost.exeMemory allocated: 1ABA0000 memory reserve | memory write watch
                    Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FF7C15011A8 sldt word ptr [eax]15_2_00007FF7C15011A8
                    Source: C:\Users\user\Desktop\msedge.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\svchost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\svchost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\svchost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\svchost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\msedge.exeWindow / User API: threadDelayed 9782Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6313Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3485Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7691Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1881Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7398Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2236Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7587
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1954
                    Source: C:\Users\user\Desktop\msedge.exe TID: 3960Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8184Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7152Thread sleep count: 7691 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5900Thread sleep count: 1881 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6012Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7780Thread sleep count: 7398 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1636Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7912Thread sleep count: 2236 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8092Thread sleep count: 7587 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8092Thread sleep count: 1954 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8148Thread sleep time: -4611686018427385s >= -30000s
                    Source: C:\Users\user\svchost.exe TID: 3408Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\svchost.exe TID: 6208Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\svchost.exe TID: 4420Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\svchost.exe TID: 5940Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\svchost.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\svchost.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\svchost.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\svchost.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\msedge.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\svchost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\svchost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\svchost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\svchost.exeThread delayed: delay time: 922337203685477
                    Source: svchost.exe, 00000002.00000002.2514899312.00000214D3639000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: svchost.exe.5.drBinary or memory string: vmware
                    Source: svchost.exe, 00000002.00000002.2515077351.00000214D3681000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: msedge.exe, 00000005.00000002.2539553444.000000001BD40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
                    Source: svchost.exe, 00000002.00000002.2514720031.00000214D3602000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                    Source: svchost.exe, 00000002.00000002.2514985592.00000214D364C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                    Source: svchost.exe, 00000002.00000002.2514899312.00000214D362B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: svchost.exe, 00000002.00000002.2515077351.00000214D3665000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000es
                    Source: svchost.exe, 00000002.00000002.2515176943.00000214D368E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: svchost.exe, 00000002.00000002.2514899312.00000214D362B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: svchost.exe, 00000002.00000002.2514851469.00000214D3613000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: C:\Users\user\Desktop\msedge.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\msedge.exeCode function: 5_2_00007FF7C1427A41 CheckRemoteDebuggerPresent,5_2_00007FF7C1427A41
                    Source: C:\Users\user\Desktop\msedge.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\svchost.exeProcess token adjusted: Debug
                    Source: C:\Users\user\svchost.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\msedge.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe'
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\svchost.exe'
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\svchost.exe'Jump to behavior
                    Bypasses PowerShell execution policy
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe'
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\svchost.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\svchost.exe"Jump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeQueries volume information: C:\Users\user\Desktop\msedge.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\msedge.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Users\user\svchost.exeQueries volume information: C:\Users\user\svchost.exe VolumeInformation
                    Source: C:\Users\user\svchost.exeQueries volume information: C:\Users\user\svchost.exe VolumeInformation
                    Source: C:\Users\user\svchost.exeQueries volume information: C:\Users\user\svchost.exe VolumeInformation
                    Source: C:\Users\user\svchost.exeQueries volume information: C:\Users\user\svchost.exe VolumeInformation
                    Source: C:\Users\user\Desktop\msedge.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Changes security center settings (notifications, updates, antivirus, firewall)
                    Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                    Source: svchost.exe, 00000003.00000002.2515155245.000002AE90502000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
                    Source: svchost.exe, 00000003.00000002.2515155245.000002AE90502000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000005.00000002.2539553444.000000001BDD6000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000005.00000002.2539553444.000000001BE13000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000005.00000002.2539553444.000000001BD40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                    Source: C:\Users\user\Desktop\msedge.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\msedge.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\msedge.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: msedge.exe, type: SAMPLE
                    Source: Yara matchFile source: 5.0.msedge.exe.bd0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.1269049317.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2521104558.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: msedge.exe PID: 7660, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\svchost.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: msedge.exe, type: SAMPLE
                    Source: Yara matchFile source: 5.0.msedge.exe.bd0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.1269049317.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2521104558.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: msedge.exe PID: 7660, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\svchost.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		11
                    Process Injection                    		211
                    Masquerading                    		OS Credential Dumping561
                    Security Software Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		21
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		21
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    PowerShell                    		1
                    DLL Side-Loading                    		21
                    Registry Run Keys / Startup Folder                    		181
                    Virtualization/Sandbox Evasion                    		Security Account Manager181
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    DLL Side-Loading                    		11
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeylogging12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                    Software Packing                    		DCSync33
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1575696 Sample: msedge.exe Startdate: 16/12/2024 Architecture: WINDOWS Score: 100 44 ip-api.com 2->44 52 Suricata IDS alerts for network traffic 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 17 other signatures 2->58 8 msedge.exe 15 6 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 6 other processes 2->17 signatures3 process4 dnsIp5 46 147.185.221.22, 48990, 49855, 49903 SALSGIVERUS United States 8->46 48 127.0.0.1 unknown unknown 8->48 50 ip-api.com 208.95.112.1, 49707, 80 TUT-ASUS United States 8->50 42 C:\Users\user\svchost.exe, PE32 8->42 dropped 62 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->62 64 Protects its processes via BreakOnTermination flag 8->64 66 Bypasses PowerShell execution policy 8->66 76 5 other signatures 8->76 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 22 8->24         started        28 2 other processes 8->28 68 Antivirus detection for dropped file 13->68 70 Multi AV Scanner detection for dropped file 13->70 72 Machine Learning detection for dropped file 13->72 74 Changes security center settings (notifications, updates, antivirus, firewall) 15->74 26 MpCmdRun.exe 15->26         started        file6 signatures7 process8 signatures9 60 Loading BitLocker PowerShell Module 19->60 30 conhost.exe 19->30         started        32 conhost.exe 22->32         started        34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        38 conhost.exe 28->38         started        40 conhost.exe 28->40         started        process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    msedge.exe67%VirustotalBrowse
                    msedge.exe82%ReversingLabsWin32.Exploit.Xworm
                    msedge.exe100%AviraTR/Spy.Gen
                    msedge.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\svchost.exe100%AviraTR/Spy.Gen
                    C:\Users\user\svchost.exe100%Joe Sandbox ML
                    C:\Users\user\svchost.exe82%ReversingLabsWin32.Exploit.Xworm

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    147.185.221.220%Avira URL Cloudsafe
                    http://www.bingmapsportal.com0%Avira URL Cloudsafe
                    http://www.microsoft.coF0%Avira URL Cloudsafe
                    127.0.0.10%Avira URL Cloudsafe
                    http://csoft.com/pki/crls/MicRooCerAut_23.crl0Z0%Avira URL Cloudsafe
                    https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=0%Avira URL Cloudsafe
                    https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=0%Avira URL Cloudsafe
                    https://dynamic.t0%Avira URL Cloudsafe
                    http://csoft.com/pki/crls/MicRooCerAut_23.crl0Z0%VirustotalBrowse
                    https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=0%Avira URL Cloudsafe
                    https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ip-api.com
                    		208.95.112.1
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      147.185.221.22true
                      • Avira URL Cloud: safe
                      		unknown
                      127.0.0.1true
                      • Avira URL Cloud: safe
                      		unknown
                      http://ip-api.com/line/?fields=hostingfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.microsoft.coFpowershell.exe, 0000000A.00000002.1475962362.0000028E3CEB0000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000000.00000002.1364486849.000001739F268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363103157.000001739F267000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://go.microsoft.copowershell.exe, 0000000F.00000002.1828253891.000001CFE85E8000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000000.00000003.1363474639.000001739F241000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.microsoft.copowershell.exe, 0000000D.00000002.1618313381.000002A55B86E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1831242979.000001CFE8862000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/Licensepowershell.exe, 0000000F.00000002.1805287292.000001CFE027F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000000.00000002.1364567404.000001739F270000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363152065.000001739F262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363218233.000001739F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363055956.000001739F26D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363430493.000001739F25A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364436387.000001739F263000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000000.00000002.1364179834.000001739F22B000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000000.00000003.1363474639.000001739F241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364274981.000001739F242000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/powershell.exe, 0000000F.00000002.1805287292.000001CFE027F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.1370424682.00000231762B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1460006961.0000028E348A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1597184151.000002A5531A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1805287292.000001CFE027F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://crl.micft.cMicRosofpowershell.exe, 0000000F.00000002.1828253891.000001CFE861B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namemsedge.exe, 00000005.00000002.2521104558.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1351920696.0000023166241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1406643949.0000028E24831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1508684817.000002A543131000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1657599062.000001CFD0211000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.bingmapsportal.comsvchost.exe, 00000000.00000002.1364153497.000001739F213000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000000.00000003.1363152065.000001739F262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364249736.000001739F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363430493.000001739F25A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364436387.000001739F263000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://csoft.com/pki/crls/MicRooCerAut_23.crl0Zpowershell.exe, 0000000F.00000002.1826733134.000001CFE8591000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • 0%, Virustotal, Browse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000000.00000002.1364179834.000001739F22B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364486849.000001739F268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363103157.000001739F267000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.1370424682.00000231762B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1460006961.0000028E348A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1597184151.000002A5531A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1805287292.000001CFE027F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000F.00000002.1657599062.000001CFD043C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000007.00000002.1351920696.0000023166468000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1406643949.0000028E24A59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1508684817.000002A543359000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1657599062.000001CFD043C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000F.00000002.1657599062.000001CFD043C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000000.00000002.1364567404.000001739F270000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363055956.000001739F26D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000000.00000002.1364179834.000001739F22B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364486849.000001739F268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363103157.000001739F267000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000000.00000003.1363152065.000001739F262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364249736.000001739F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364436387.000001739F263000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://crl.micpowershell.exe, 0000000F.00000002.1828253891.000001CFE861B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1831242979.000001CFE8862000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://contoso.com/Iconpowershell.exe, 0000000F.00000002.1805287292.000001CFE027F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000000.00000003.1363452301.000001739F24A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364342754.000001739F259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 00000000.00000003.1363474639.000001739F241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364274981.000001739F242000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363218233.000001739F25F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000000.00000003.1363152065.000001739F262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364436387.000001739F263000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000000.00000003.1363452301.000001739F24A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 00000000.00000002.1364342754.000001739F259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://github.com/Pester/Pesterpowershell.exe, 0000000F.00000002.1657599062.000001CFD043C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000000.00000002.1364274981.000001739F242000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://dynamic.tsvchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364436387.000001739F263000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000007.00000002.1351920696.0000023166468000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1406643949.0000028E24A59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1508684817.000002A543359000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1657599062.000001CFD043C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=svchost.exe, 00000000.00000002.1364342754.000001739F259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://aka.ms/pscore68powershell.exe, 00000007.00000002.1351920696.0000023166241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1406643949.0000028E24831000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1508684817.000002A543131000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1657599062.000001CFD0211000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000000.00000003.1363152065.000001739F262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364436387.000001739F263000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000000.00000003.1363340037.000001739F258000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://crl.microspowershell.exe, 0000000D.00000002.1618313381.000002A55B86E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000000.00000002.1364567404.000001739F270000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363055956.000001739F26D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000000.00000003.1363517726.000001739F230000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363152065.000001739F262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364211322.000001739F234000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364436387.000001739F263000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown

                                                                                                            World Map of Contacted IPs

                                                                                                            • No. of IPs < 25%
                                                                                                            • 25% < No. of IPs < 50%
                                                                                                            • 50% < No. of IPs < 75%
                                                                                                            • 75% < No. of IPs

                                                                                                            Public IPs

                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                            208.95.112.1
                                                                                                            		ip-api.comUnited States
                                                                                                            		53334TUT-ASUSfalse
                                                                                                            147.185.221.22
                                                                                                            		unknownUnited States
                                                                                                            		12087SALSGIVERUStrue

                                                                                                            Private

                                                                                                            IP
                                                                                                            127.0.0.1

                                                                                                            General Information

                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                            Analysis ID:1575696
                                                                                                            Start date and time:2024-12-16 08:37:26 +01:00
                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                            Overall analysis duration:0h 7m 3s
                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                            Report type:full
                                                                                                            Cookbook file name:default.jbs
                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                            Number of analysed new started processes analysed:26
                                                                                                            Number of new started drivers analysed:0
                                                                                                            Number of existing processes analysed:0
                                                                                                            Number of existing drivers analysed:0
                                                                                                            Number of injected processes analysed:0
                                                                                                            Technologies:
                                                                                                            • HCA enabled
                                                                                                            • EGA enabled
                                                                                                            • AMSI enabled
                                                                                                            Analysis Mode:default
                                                                                                            Analysis stop reason:Timeout
                                                                                                            Sample name:msedge.exe
                                                                                                            Detection:MAL
                                                                                                            Classification:mal100.troj.evad.winEXE@27/22@1/3
                                                                                                            EGA Information:
                                                                                                            • Successful, ratio: 11.1%
                                                                                                            HCA Information:
                                                                                                            • Successful, ratio: 100%
                                                                                                            • Number of executed functions: 92
                                                                                                            • Number of non-executed functions: 5
                                                                                                            Cookbook Comments:
                                                                                                            • Found application associated with file extension: .exe

                                                                                                            Warnings

                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, WmiPrvSE.exe
                                                                                                            • Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
                                                                                                            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                            • Execution Graph export aborted for target powershell.exe, PID 1824 because it is empty
                                                                                                            • Execution Graph export aborted for target powershell.exe, PID 6120 because it is empty
                                                                                                            • Execution Graph export aborted for target powershell.exe, PID 6364 because it is empty
                                                                                                            • Execution Graph export aborted for target powershell.exe, PID 8052 because it is empty
                                                                                                            • Execution Graph export aborted for target svchost.exe, PID 2068 because it is empty
                                                                                                            • Execution Graph export aborted for target svchost.exe, PID 4456 because it is empty
                                                                                                            • Execution Graph export aborted for target svchost.exe, PID 4480 because it is empty
                                                                                                            • Execution Graph export aborted for target svchost.exe, PID 6152 because it is empty
                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                            Simulations

                                                                                                            Behavior and APIs

                                                                                                            TimeTypeDescription
                                                                                                            02:38:23API Interceptor52x Sleep call for process: powershell.exe modified
                                                                                                            02:39:16API Interceptor34112x Sleep call for process: msedge.exe modified
                                                                                                            02:39:17API Interceptor1x Sleep call for process: MpCmdRun.exe modified
                                                                                                            08:39:17Task SchedulerRun new task: svchost path: C:\Users\user\svchost.exe
                                                                                                            08:39:20AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\svchost.exe
                                                                                                            08:39:28AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\svchost.exe
                                                                                                            08:39:37AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

                                                                                                            Joe Sandbox View / Context

                                                                                                            IPs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            208.95.112.1imagelogger.exeGet hashmaliciousXWormBrowse
                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                            NJRAT DANGEROUS.exeGet hashmaliciousXWormBrowse
                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                            com surrogate.exeGet hashmaliciousXWormBrowse
                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                            jerniuiopu.exeGet hashmaliciousBlackshadesBrowse
                                                                                                            • ip-api.com/json/
                                                                                                            file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, XmrigBrowse
                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                            RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                            7laJ4zKd8O.exeGet hashmaliciousXWormBrowse
                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                            3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                            • ip-api.com/json/
                                                                                                            gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                                                            • ip-api.com/json/
                                                                                                            hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                            • ip-api.com/json/

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            ip-api.comimagelogger.exeGet hashmaliciousXWormBrowse
                                                                                                            • 208.95.112.1
                                                                                                            NJRAT DANGEROUS.exeGet hashmaliciousXWormBrowse
                                                                                                            • 208.95.112.1
                                                                                                            com surrogate.exeGet hashmaliciousXWormBrowse
                                                                                                            • 208.95.112.1
                                                                                                            jerniuiopu.exeGet hashmaliciousBlackshadesBrowse
                                                                                                            • 208.95.112.1
                                                                                                            file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, XmrigBrowse
                                                                                                            • 208.95.112.1
                                                                                                            RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                                                                                                            • 208.95.112.1
                                                                                                            7laJ4zKd8O.exeGet hashmaliciousXWormBrowse
                                                                                                            • 208.95.112.1
                                                                                                            3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                            • 208.95.112.1
                                                                                                            gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                                                            • 208.95.112.1
                                                                                                            hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                            • 208.95.112.1

                                                                                                            ASNs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            TUT-ASUSimagelogger.exeGet hashmaliciousXWormBrowse
                                                                                                            • 208.95.112.1
                                                                                                            NJRAT DANGEROUS.exeGet hashmaliciousXWormBrowse
                                                                                                            • 208.95.112.1
                                                                                                            com surrogate.exeGet hashmaliciousXWormBrowse
                                                                                                            • 208.95.112.1
                                                                                                            jerniuiopu.exeGet hashmaliciousBlackshadesBrowse
                                                                                                            • 208.95.112.1
                                                                                                            https://fsharetv.ioGet hashmaliciousUnknownBrowse
                                                                                                            • 162.252.214.4
                                                                                                            file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, XmrigBrowse
                                                                                                            • 208.95.112.1
                                                                                                            RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                                                                                                            • 208.95.112.1
                                                                                                            7laJ4zKd8O.exeGet hashmaliciousXWormBrowse
                                                                                                            • 208.95.112.1
                                                                                                            3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                            • 208.95.112.1
                                                                                                            gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                                                            • 208.95.112.1
                                                                                                            SALSGIVERUSimagelogger.exeGet hashmaliciousXWormBrowse
                                                                                                            • 147.185.221.229
                                                                                                            NJRAT DANGEROUS.exeGet hashmaliciousXWormBrowse
                                                                                                            • 147.185.221.181
                                                                                                            com surrogate.exeGet hashmaliciousXWormBrowse
                                                                                                            • 147.185.221.22
                                                                                                            lastest.exeGet hashmaliciousNjratBrowse
                                                                                                            • 147.185.221.20
                                                                                                            Fast Download.exeGet hashmaliciousNjratBrowse
                                                                                                            • 147.185.221.229
                                                                                                            cnct.exeGet hashmaliciousNjratBrowse
                                                                                                            • 147.185.221.20
                                                                                                            Server1.exeGet hashmaliciousNjratBrowse
                                                                                                            • 147.185.221.17
                                                                                                            njSilent.exeGet hashmaliciousNjratBrowse
                                                                                                            • 147.185.221.19
                                                                                                            Minet.exeGet hashmaliciousNjratBrowse
                                                                                                            • 147.185.221.22
                                                                                                            Discordd.exeGet hashmaliciousAsyncRATBrowse
                                                                                                            • 147.185.221.18

                                                                                                            JA3 Fingerprints

                                                                                                            No context

                                                                                                            Dropped Files

                                                                                                            No context

                                                                                                            Created / dropped Files

                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\svchost.exe
                                                                                                            File Type:CSV text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):654
                                                                                                            Entropy (8bit):5.380476433908377
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                                            MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                                            SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                                            SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                                            SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                                            Malicious:false
                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:data
                                                                                                            Category:modified
                                                                                                            Size (bytes):64
                                                                                                            Entropy (8bit):0.34726597513537405
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Nlll:Nll
                                                                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                            Malicious:false
                                                                                                            Preview:@...e...........................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\msedge.exe
                                                                                                            File Type:Generic INItialization configuration [WIN]
                                                                                                            Category:dropped
                                                                                                            Size (bytes):64
                                                                                                            Entropy (8bit):3.6722687970803873
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
                                                                                                            MD5:DE63D53293EBACE29F3F54832D739D40
                                                                                                            SHA1:1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
                                                                                                            SHA-256:A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
                                                                                                            SHA-512:10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
                                                                                                            Malicious:false
                                                                                                            Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_12a44f4u.tly.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1kkg33oh.e33.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3bc1gmcb.ruu.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3y0z30j5.fdn.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bzr4zrod.cbl.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d4ntn1sr.zjd.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_egr5tygt.wv3.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gxo1ehu4.bzf.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hafkzdzg.g5h.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ht4ovbhg.c2k.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j5fylxdr.smg.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m4fnh31c.asm.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nmgcmlrp.g5n.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xjalgqmv.qb3.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ylrz0aez.0bh.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yoepjsew.ll1.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\msedge.exe
                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Dec 16 06:39:15 2024, mtime=Mon Dec 16 06:39:15 2024, atime=Mon Dec 16 06:39:15 2024, length=68096, window=hide
                                                                                                            Category:dropped
                                                                                                            Size (bytes):772
                                                                                                            Entropy (8bit):5.08786856787447
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:8VE/4pL1YlC5Z3l6jA+f0gUNwuLEAYAM244t2YZ/elFlSJmkmV:8neu34A407kAxM2wqygm
                                                                                                            MD5:0C5BBE895E5A6826981303EA5B3F3639
                                                                                                            SHA1:8B94C0C298F59A117B1291011733FFA32D5AC4AD
                                                                                                            SHA-256:E2D9309DC27F975023F68C2F286587E3EEC864D19913A374DE0B2AB4D2BFC14B
                                                                                                            SHA-512:23A17759FB79D551F7B8B1EB75C208173EB81D99A9081F3A032739146EA1102F34E1E7CF4287A42146A927D5CB5887EABEF38E49645320A08C617E656E17618F
                                                                                                            Malicious:false
                                                                                                            Preview:L..................F.... ........O.......O.......O............................:..DG..Yr?.D..U..k0.&...&.........5q........O.....O......t. .CFSF..2......Y.< .svchost.exe...t.Y^...H.g.3..(.....gVA.G..k...H......Y.<.Y.<..........................v...s.v.c.h.o.s.t...e.x.e...F...H...............-.......G...........J..5.....C:\Users\user\svchost.exe.. .....\.....\.....\.....\.....\.....\.....\.s.v.c.h.o.s.t...e.x.e.............:...........|....I.J.H..K..:...`.......X.......284992...........hT..CrF.f4... ..[U.....+...E...hT..CrF.f4... ..[U.....+...E..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                            C:\Users\user\svchost.exe

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\msedge.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):68096
                                                                                                            Entropy (8bit):5.935739381109993
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:PQ7Pcr+Hl3nfHAmKttDKwv+F4PWSlbdt1GWnPTe6lO/fBK4n:+0qHl3nfHAmKttDKwW4PHbrcCPhO/f/n
                                                                                                            MD5:7F7A3DC4765E86E7F2C06E42FA8CD1AA
                                                                                                            SHA1:7E53565F05406060AD0767FEE6C25D88169EEB83
                                                                                                            SHA-256:B80255CBA447EF8BAB084763B3836776C42158673E386159DF71862BF583C126
                                                                                                            SHA-512:E9FA71E004C76D01AD125103C0675D677A6E05B1C3DF4BA5C78BD9BC5454A6BD22CDD7AB5DE26D77CDEB4A3865AEC1DB7FC080BCA7E16DEB7BF61C31300C6671
                                                                                                            Malicious:true
                                                                                                            Yara Hits:
                                                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\svchost.exe, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\svchost.exe, Author: Joe Security
                                                                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\svchost.exe, Author: ditekSHen
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            • Antivirus: ReversingLabs, Detection: 82%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...rS.g................................. ... ....@.. .......................`............@.....................................K.... ..V....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...V.... ......................@..@.reloc.......@......................@..B........................H........n..........&.....................................................(....*.r...p*. ..e.*..(....*.r...p*. .\=.*.s.........s.........s.........s.........*.r5..p*. ....*.rO..p*. =...*.ri..p*. Y.R.*.r...p*. E/..*.r...p*. .m..*..((...*.r...p*. ..L.*.r...p*. .&..*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(&...&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.r...p*. 4...*.r...p*. .x!.*.r%..p*. ...*.r?..p*. J...*.rY..p*. ....*.rs..p*. pd..*.r..

                                                                                                            C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                                                                                            Download File
                                                                                                            Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                            Category:modified
                                                                                                            Size (bytes):4926
                                                                                                            Entropy (8bit):3.2454261784797573
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:FaqdF7w8l0+AAHdKoqKFxcxkF28lraqdF7YGc+AAHdKoqKFxcxkFKGC:cEG+AAsoJjykcEhc+AAsoJjykRC
                                                                                                            MD5:A922A40D11A28357A59B2C2C4F3F4A4D
                                                                                                            SHA1:7D5A631BA0343FF728FB8038EAF15C235CFB7ACA
                                                                                                            SHA-256:CE71FC8F7E4F9E82BF399E59CAF214F6CDBED112D76A75BCF3F57B7CA04D5C62
                                                                                                            SHA-512:64A87F76298C295391EDAAF3286360668372D3A29316EB92BCD70CB4C9C42D7229A95196FEB2C0E01B45DA993091E01B6555358E38CE39C86BCDB69DF95D2191
                                                                                                            Malicious:false
                                                                                                            Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. O.c.t. .. 0.5. .. 2.0.2.3. .1.2.:.2.8.:.3.6.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Entropy (8bit):5.935739381109993
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                            File name:msedge.exe
                                                                                                            File size:68'096 bytes
                                                                                                            MD5:7f7a3dc4765e86e7f2c06e42fa8cd1aa
                                                                                                            SHA1:7e53565f05406060ad0767fee6c25d88169eeb83
                                                                                                            SHA256:b80255cba447ef8bab084763b3836776c42158673e386159df71862bf583c126
                                                                                                            SHA512:e9fa71e004c76d01ad125103c0675d677a6e05b1c3df4ba5c78bd9bc5454a6bd22cdd7ab5de26d77cdeb4a3865aec1db7fc080bca7e16deb7bf61c31300c6671
                                                                                                            SSDEEP:1536:PQ7Pcr+Hl3nfHAmKttDKwv+F4PWSlbdt1GWnPTe6lO/fBK4n:+0qHl3nfHAmKttDKwW4PHbrcCPhO/f/n
                                                                                                            TLSH:71638D9CB3E50525E5FF5BF018F132168778FA635A03C62F68D9018A1B17A89CE50BF6
                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...rS.g................................. ... ....@.. .......................`............@................................

                                                                                                            File Icon

                                                                                                            Icon Hash:90cececece8e8eb0

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x411dde
                                                                                                            Entrypoint Section:.text
                                                                                                            Digitally signed:false
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x67085372 [Thu Oct 10 22:21:38 2024 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:4
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:4
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:4
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            jmp dword ptr [00402000h]
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x11d900x4b.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x656.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000xc.reloc
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            .text0x20000xfde40xfe0013243b4f30d9128ecbf870a1dd27f9fbFalse0.5770792322834646data6.034444662312426IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                            .rsrc0x120000x6560x800fa9d05d2b632a918b846b306553dd364False0.35009765625data3.5899093781377687IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .reloc0x140000xc0x200ddb5a534ad2e3068484d362cead56b54False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                            RT_VERSION0x120a00x3ccdata0.42592592592592593
                                                                                                            RT_MANIFEST0x1246c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            mscoree.dll_CorExeMain

                                                                                                            Network Behavior

                                                                                                            Suricata IDS Alerts

                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                            2024-12-16T08:39:36.707766+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.1049855147.185.221.2248990TCP

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Dec 16, 2024 08:38:21.728810072 CET4970780192.168.2.10208.95.112.1
                                                                                                            Dec 16, 2024 08:38:21.848545074 CET8049707208.95.112.1192.168.2.10
                                                                                                            Dec 16, 2024 08:38:21.848689079 CET4970780192.168.2.10208.95.112.1
                                                                                                            Dec 16, 2024 08:38:21.849682093 CET4970780192.168.2.10208.95.112.1
                                                                                                            Dec 16, 2024 08:38:21.969377995 CET8049707208.95.112.1192.168.2.10
                                                                                                            Dec 16, 2024 08:38:23.000433922 CET8049707208.95.112.1192.168.2.10
                                                                                                            Dec 16, 2024 08:38:23.040877104 CET4970780192.168.2.10208.95.112.1
                                                                                                            Dec 16, 2024 08:39:14.149132013 CET8049707208.95.112.1192.168.2.10
                                                                                                            Dec 16, 2024 08:39:14.149225950 CET4970780192.168.2.10208.95.112.1
                                                                                                            Dec 16, 2024 08:39:24.042069912 CET4985548990192.168.2.10147.185.221.22
                                                                                                            Dec 16, 2024 08:39:24.161751032 CET4899049855147.185.221.22192.168.2.10
                                                                                                            Dec 16, 2024 08:39:24.161834955 CET4985548990192.168.2.10147.185.221.22
                                                                                                            Dec 16, 2024 08:39:24.223229885 CET4985548990192.168.2.10147.185.221.22
                                                                                                            Dec 16, 2024 08:39:24.343053102 CET4899049855147.185.221.22192.168.2.10
                                                                                                            Dec 16, 2024 08:39:36.707766056 CET4985548990192.168.2.10147.185.221.22
                                                                                                            Dec 16, 2024 08:39:36.828201056 CET4899049855147.185.221.22192.168.2.10
                                                                                                            Dec 16, 2024 08:39:46.057073116 CET4899049855147.185.221.22192.168.2.10
                                                                                                            Dec 16, 2024 08:39:46.060437918 CET4985548990192.168.2.10147.185.221.22
                                                                                                            Dec 16, 2024 08:39:46.572635889 CET4985548990192.168.2.10147.185.221.22
                                                                                                            Dec 16, 2024 08:39:46.574284077 CET4990348990192.168.2.10147.185.221.22
                                                                                                            Dec 16, 2024 08:39:46.694142103 CET4899049855147.185.221.22192.168.2.10
                                                                                                            Dec 16, 2024 08:39:46.695581913 CET4899049903147.185.221.22192.168.2.10
                                                                                                            Dec 16, 2024 08:39:46.695741892 CET4990348990192.168.2.10147.185.221.22
                                                                                                            Dec 16, 2024 08:39:47.092062950 CET4990348990192.168.2.10147.185.221.22
                                                                                                            Dec 16, 2024 08:39:47.211924076 CET4899049903147.185.221.22192.168.2.10
                                                                                                            Dec 16, 2024 08:39:59.338619947 CET4990348990192.168.2.10147.185.221.22
                                                                                                            Dec 16, 2024 08:39:59.458585978 CET4899049903147.185.221.22192.168.2.10
                                                                                                            Dec 16, 2024 08:40:03.011581898 CET4970780192.168.2.10208.95.112.1
                                                                                                            Dec 16, 2024 08:40:03.131625891 CET8049707208.95.112.1192.168.2.10
                                                                                                            Dec 16, 2024 08:40:08.592092991 CET4899049903147.185.221.22192.168.2.10
                                                                                                            Dec 16, 2024 08:40:08.592164040 CET4990348990192.168.2.10147.185.221.22
                                                                                                            Dec 16, 2024 08:40:09.494438887 CET4990348990192.168.2.10147.185.221.22
                                                                                                            Dec 16, 2024 08:40:09.614180088 CET4899049903147.185.221.22192.168.2.10
                                                                                                            Dec 16, 2024 08:40:11.573570013 CET4996448990192.168.2.10147.185.221.22
                                                                                                            Dec 16, 2024 08:40:11.693522930 CET4899049964147.185.221.22192.168.2.10
                                                                                                            Dec 16, 2024 08:40:11.693742037 CET4996448990192.168.2.10147.185.221.22
                                                                                                            Dec 16, 2024 08:40:11.731728077 CET4996448990192.168.2.10147.185.221.22
                                                                                                            Dec 16, 2024 08:40:11.851557970 CET4899049964147.185.221.22192.168.2.10
                                                                                                            Dec 16, 2024 08:40:25.690705061 CET4996448990192.168.2.10147.185.221.22
                                                                                                            Dec 16, 2024 08:40:25.810542107 CET4899049964147.185.221.22192.168.2.10

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Dec 16, 2024 08:38:21.581126928 CET4946753192.168.2.101.1.1.1
                                                                                                            Dec 16, 2024 08:38:21.717995882 CET53494671.1.1.1192.168.2.10

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Dec 16, 2024 08:38:21.581126928 CET192.168.2.101.1.1.10x8554Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Dec 16, 2024 08:38:21.717995882 CET1.1.1.1192.168.2.100x8554No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • ip-api.com

                                                                                                            HTTP Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.1049707208.95.112.1807660C:\Users\user\Desktop\msedge.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Dec 16, 2024 08:38:21.849682093 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                            Host: ip-api.com
                                                                                                            Connection: Keep-Alive
                                                                                                            Dec 16, 2024 08:38:23.000433922 CET174INHTTP/1.1 200 OK
                                                                                                            Date: Mon, 16 Dec 2024 07:38:21 GMT
                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                            Content-Length: 6
                                                                                                            Access-Control-Allow-Origin: *
                                                                                                            X-Ttl: 2
                                                                                                            X-Rl: 43
                                                                                                            Data Raw: 66 61 6c 73 65 0a
                                                                                                            Data Ascii: false


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:02:38:15
                                                                                                            Start date:16/12/2024
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                            Imagebase:0x7ff7df220000
                                                                                                            File size:55'320 bytes
                                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:2
                                                                                                            Start time:02:38:16
                                                                                                            Start date:16/12/2024
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                            Imagebase:0x7ff7df220000
                                                                                                            File size:55'320 bytes
                                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:3
                                                                                                            Start time:02:38:16
                                                                                                            Start date:16/12/2024
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                                                                            Imagebase:0x7ff7df220000
                                                                                                            File size:55'320 bytes
                                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:4
                                                                                                            Start time:02:38:16
                                                                                                            Start date:16/12/2024
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                                            Imagebase:0x7ff7df220000
                                                                                                            File size:55'320 bytes
                                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:5
                                                                                                            Start time:02:38:16
                                                                                                            Start date:16/12/2024
                                                                                                            Path:C:\Users\user\Desktop\msedge.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Users\user\Desktop\msedge.exe"
                                                                                                            Imagebase:0xbd0000
                                                                                                            File size:68'096 bytes
                                                                                                            MD5 hash:7F7A3DC4765E86E7F2C06E42FA8CD1AA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000005.00000000.1269049317.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000000.1269049317.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000005.00000002.2521104558.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:low
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:7
                                                                                                            Start time:02:38:22
                                                                                                            Start date:16/12/2024
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge.exe'
                                                                                                            Imagebase:0x7ff7b2bb0000
                                                                                                            File size:452'608 bytes
                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:8
                                                                                                            Start time:02:38:22
                                                                                                            Start date:16/12/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff620390000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:10
                                                                                                            Start time:02:38:28
                                                                                                            Start date:16/12/2024
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
                                                                                                            Imagebase:0x7ff7b2bb0000
                                                                                                            File size:452'608 bytes
                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:11
                                                                                                            Start time:02:38:28
                                                                                                            Start date:16/12/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff620390000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:13
                                                                                                            Start time:02:38:38
                                                                                                            Start date:16/12/2024
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\svchost.exe'
                                                                                                            Imagebase:0x7ff7b2bb0000
                                                                                                            File size:452'608 bytes
                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:14
                                                                                                            Start time:02:38:38
                                                                                                            Start date:16/12/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff620390000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:15
                                                                                                            Start time:02:38:52
                                                                                                            Start date:16/12/2024
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                                                                                                            Imagebase:0x7ff7b2bb0000
                                                                                                            File size:452'608 bytes
                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:16
                                                                                                            Start time:02:38:52
                                                                                                            Start date:16/12/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff620390000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:17
                                                                                                            Start time:02:39:15
                                                                                                            Start date:16/12/2024
                                                                                                            Path:C:\Windows\System32\schtasks.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\svchost.exe"
                                                                                                            Imagebase:0x7ff633910000
                                                                                                            File size:235'008 bytes
                                                                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:18
                                                                                                            Start time:02:39:16
                                                                                                            Start date:16/12/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff620390000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:19
                                                                                                            Start time:02:39:17
                                                                                                            Start date:16/12/2024
                                                                                                            Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                            Imagebase:0x7ff74eb80000
                                                                                                            File size:468'120 bytes
                                                                                                            MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:20
                                                                                                            Start time:02:39:17
                                                                                                            Start date:16/12/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff620390000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:21
                                                                                                            Start time:02:39:17
                                                                                                            Start date:16/12/2024
                                                                                                            Path:C:\Users\user\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Users\user\svchost.exe
                                                                                                            Imagebase:0x8e0000
                                                                                                            File size:68'096 bytes
                                                                                                            MD5 hash:7F7A3DC4765E86E7F2C06E42FA8CD1AA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\svchost.exe, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\svchost.exe, Author: Joe Security
                                                                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\svchost.exe, Author: ditekSHen
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 100%, Avira
                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                            • Detection: 82%, ReversingLabs
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:22
                                                                                                            Start time:02:39:28
                                                                                                            Start date:16/12/2024
                                                                                                            Path:C:\Users\user\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Users\user\svchost.exe"
                                                                                                            Imagebase:0x6c0000
                                                                                                            File size:68'096 bytes
                                                                                                            MD5 hash:7F7A3DC4765E86E7F2C06E42FA8CD1AA
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:23
                                                                                                            Start time:02:39:37
                                                                                                            Start date:16/12/2024
                                                                                                            Path:C:\Users\user\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Users\user\svchost.exe"
                                                                                                            Imagebase:0xa40000
                                                                                                            File size:68'096 bytes
                                                                                                            MD5 hash:7F7A3DC4765E86E7F2C06E42FA8CD1AA
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:24
                                                                                                            Start time:02:40:01
                                                                                                            Start date:16/12/2024
                                                                                                            Path:C:\Users\user\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Users\user\svchost.exe
                                                                                                            Imagebase:0x7c0000
                                                                                                            File size:68'096 bytes
                                                                                                            MD5 hash:7F7A3DC4765E86E7F2C06E42FA8CD1AA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:19.9%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:33.3%
                                                                                                              Total number of Nodes:9
                                                                                                              Total number of Limit Nodes:0

                                                                                                              Executed Functions

                                                                                                              Function 00007FF7C14298B9 Relevance: 4.3, Strings: 2, Instructions: 1793COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 0 7ff7c14298b9-7ff7c142994d call 7ff7c1428f10 call 7ff7c1420388 call 7ff7c14280a8 11 7ff7c1429981-7ff7c14299a4 0->11 12 7ff7c142994f-7ff7c1429961 0->12 15 7ff7c14299aa-7ff7c14299b7 11->15 16 7ff7c142aa5d-7ff7c142aa64 11->16 12->11 17 7ff7c1429d18 15->17 18 7ff7c14299bd-7ff7c14299fb 15->18 19 7ff7c142aa6e-7ff7c142aa75 16->19 20 7ff7c1429d1d-7ff7c1429d51 17->20 24 7ff7c142aa38-7ff7c142aa3e 18->24 25 7ff7c1429a01-7ff7c1429a1e call 7ff7c1428328 18->25 21 7ff7c142aa77-7ff7c142aa81 call 7ff7c1420378 19->21 22 7ff7c142aa86 19->22 26 7ff7c1429d58-7ff7c1429d9a 20->26 21->22 30 7ff7c142aa8d 22->30 31 7ff7c142aa92 24->31 32 7ff7c142aa40-7ff7c142aa57 24->32 25->24 34 7ff7c1429a24-7ff7c1429a5e 25->34 45 7ff7c1429d9c-7ff7c1429dbd 26->45 46 7ff7c1429dbf-7ff7c1429df3 26->46 30->30 36 7ff7c142aa97-7ff7c142aad2 31->36 32->15 32->16 43 7ff7c1429abd-7ff7c1429ae5 34->43 44 7ff7c1429a60-7ff7c1429ab3 34->44 42 7ff7c142aad7-7ff7c142ab24 36->42 73 7ff7c142ab4c-7ff7c142ab87 42->73 74 7ff7c142ab26-7ff7c142ab47 42->74 54 7ff7c142a3d9-7ff7c142a401 43->54 55 7ff7c1429aeb-7ff7c1429af8 43->55 44->43 48 7ff7c1429dfa-7ff7c1429e3c 45->48 46->48 71 7ff7c1429e3e-7ff7c1429e5f 48->71 72 7ff7c1429e61-7ff7c1429e95 48->72 54->24 63 7ff7c142a407-7ff7c142a414 54->63 55->17 58 7ff7c1429afe-7ff7c1429bf0 55->58 139 7ff7c142a3b0-7ff7c142a3b6 58->139 140 7ff7c1429bf6-7ff7c1429cf3 call 7ff7c1420358 58->140 63->17 66 7ff7c142a41a-7ff7c142a510 63->66 86 7ff7c142ab8c-7ff7c142abc7 66->86 120 7ff7c142a516-7ff7c142a579 66->120 77 7ff7c1429e9c-7ff7c1429fb3 call 7ff7c1420358 71->77 72->77 73->86 74->73 152 7ff7c1429fd8-7ff7c142a00c 77->152 153 7ff7c1429fb5-7ff7c1429fd6 77->153 94 7ff7c142abcc-7ff7c142ac07 86->94 103 7ff7c142ac0c-7ff7c142ac47 94->103 112 7ff7c142ac4c-7ff7c142ac87 103->112 122 7ff7c142ac8c-7ff7c142acc7 112->122 120->94 144 7ff7c142a57f-7ff7c142a5e2 120->144 130 7ff7c142accc-7ff7c142ad1c 122->130 156 7ff7c142ad1e-7ff7c142ad3f 130->156 157 7ff7c142ad44-7ff7c142ad78 130->157 139->31 141 7ff7c142a3bc-7ff7c142a3d3 139->141 140->20 195 7ff7c1429cf5-7ff7c1429d16 140->195 141->54 141->55 144->103 174 7ff7c142a5e8-7ff7c142a746 call 7ff7c14282a8 144->174 159 7ff7c142a013-7ff7c142a0aa 152->159 153->159 156->157 164 7ff7c142ad7f 157->164 159->17 192 7ff7c142a0b0-7ff7c142a260 call 7ff7c1420358 159->192 164->164 174->112 223 7ff7c142a74c-7ff7c142a8ba 174->223 192->31 243 7ff7c142a266-7ff7c142a268 192->243 195->26 223->31 261 7ff7c142a8c0-7ff7c142a8c2 223->261 243->42 245 7ff7c142a26e-7ff7c142a2ac 243->245 245->36 254 7ff7c142a2b2-7ff7c142a33d 245->254 269 7ff7c142a38d-7ff7c142a3aa 254->269 270 7ff7c142a33f-7ff7c142a386 254->270 261->130 262 7ff7c142a8c8-7ff7c142a906 261->262 262->122 273 7ff7c142a90c-7ff7c142a99a 262->273 269->139 270->269 280 7ff7c142a9ea-7ff7c142aa19 273->280 281 7ff7c142a99c-7ff7c142a9e3 273->281 280->31 283 7ff7c142aa1b-7ff7c142aa32 280->283 281->280 283->24 283->63
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2547850802.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_7ff7c1420000_msedge.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 6$CAO_^
                                                                                                              • API String ID: 0-2234428381
                                                                                                              • Opcode ID: ddccab22e35180da3a6d0ab705c90ef249172b1833455eb34f77a16b18cc10cd
                                                                                                              • Instruction ID: c73fcae6c11feeac16e225f9026f939aa8503173742f6b286f34ee337c9bbf6d
                                                                                                              • Opcode Fuzzy Hash: ddccab22e35180da3a6d0ab705c90ef249172b1833455eb34f77a16b18cc10cd
                                                                                                              • Instruction Fuzzy Hash: 50D29470B28A098FEB48EF28C899779B7E2FF88754F544579D40DD3391DE78A8818B41
                                                                                                              Function 00007FF7C1429962 Relevance: 3.9, Strings: 2, Instructions: 1408COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 284 7ff7c1429962-7ff7c14299a4 call 7ff7c1420398 288 7ff7c14299aa-7ff7c14299b7 284->288 289 7ff7c142aa5d-7ff7c142aa64 284->289 290 7ff7c1429d18 288->290 291 7ff7c14299bd-7ff7c14299fb 288->291 292 7ff7c142aa6e-7ff7c142aa75 289->292 293 7ff7c1429d1d-7ff7c1429d51 290->293 297 7ff7c142aa38-7ff7c142aa3e 291->297 298 7ff7c1429a01-7ff7c1429a1e call 7ff7c1428328 291->298 294 7ff7c142aa77-7ff7c142aa81 call 7ff7c1420378 292->294 295 7ff7c142aa86 292->295 299 7ff7c1429d58-7ff7c1429d9a 293->299 294->295 303 7ff7c142aa8d 295->303 304 7ff7c142aa92 297->304 305 7ff7c142aa40-7ff7c142aa57 297->305 298->297 307 7ff7c1429a24-7ff7c1429a5e 298->307 318 7ff7c1429d9c-7ff7c1429dbd 299->318 319 7ff7c1429dbf-7ff7c1429df3 299->319 303->303 309 7ff7c142aa97-7ff7c142aad2 304->309 305->288 305->289 316 7ff7c1429abd-7ff7c1429ae5 307->316 317 7ff7c1429a60-7ff7c1429ab3 307->317 315 7ff7c142aad7-7ff7c142ab24 309->315 346 7ff7c142ab4c-7ff7c142ab87 315->346 347 7ff7c142ab26-7ff7c142ab47 315->347 327 7ff7c142a3d9-7ff7c142a401 316->327 328 7ff7c1429aeb-7ff7c1429af8 316->328 317->316 321 7ff7c1429dfa-7ff7c1429e3c 318->321 319->321 344 7ff7c1429e3e-7ff7c1429e5f 321->344 345 7ff7c1429e61-7ff7c1429e95 321->345 327->297 336 7ff7c142a407-7ff7c142a414 327->336 328->290 331 7ff7c1429afe-7ff7c1429bf0 328->331 412 7ff7c142a3b0-7ff7c142a3b6 331->412 413 7ff7c1429bf6-7ff7c1429cf3 call 7ff7c1420358 331->413 336->290 339 7ff7c142a41a-7ff7c142a510 336->339 359 7ff7c142ab8c-7ff7c142abc7 339->359 393 7ff7c142a516-7ff7c142a579 339->393 350 7ff7c1429e9c-7ff7c1429fb3 call 7ff7c1420358 344->350 345->350 346->359 347->346 425 7ff7c1429fd8-7ff7c142a00c 350->425 426 7ff7c1429fb5-7ff7c1429fd6 350->426 367 7ff7c142abcc-7ff7c142ac07 359->367 376 7ff7c142ac0c-7ff7c142ac47 367->376 385 7ff7c142ac4c-7ff7c142ac87 376->385 395 7ff7c142ac8c-7ff7c142acc7 385->395 393->367 417 7ff7c142a57f-7ff7c142a5e2 393->417 403 7ff7c142accc-7ff7c142ad1c 395->403 429 7ff7c142ad1e-7ff7c142ad3f 403->429 430 7ff7c142ad44-7ff7c142ad78 403->430 412->304 414 7ff7c142a3bc-7ff7c142a3d3 412->414 413->293 468 7ff7c1429cf5-7ff7c1429d16 413->468 414->327 414->328 417->376 447 7ff7c142a5e8-7ff7c142a746 call 7ff7c14282a8 417->447 432 7ff7c142a013-7ff7c142a0aa 425->432 426->432 429->430 437 7ff7c142ad7f 430->437 432->290 465 7ff7c142a0b0-7ff7c142a260 call 7ff7c1420358 432->465 437->437 447->385 496 7ff7c142a74c-7ff7c142a8ba 447->496 465->304 516 7ff7c142a266-7ff7c142a268 465->516 468->299 496->304 534 7ff7c142a8c0-7ff7c142a8c2 496->534 516->315 518 7ff7c142a26e-7ff7c142a2ac 516->518 518->309 527 7ff7c142a2b2-7ff7c142a33d 518->527 542 7ff7c142a38d-7ff7c142a3aa 527->542 543 7ff7c142a33f-7ff7c142a386 527->543 534->403 535 7ff7c142a8c8-7ff7c142a906 534->535 535->395 546 7ff7c142a90c-7ff7c142a99a 535->546 542->412 543->542 553 7ff7c142a9ea-7ff7c142aa19 546->553 554 7ff7c142a99c-7ff7c142a9e3 546->554 553->304 556 7ff7c142aa1b-7ff7c142aa32 553->556 554->553 556->297 556->336
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2547850802.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_7ff7c1420000_msedge.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: B$CAO_^
                                                                                                              • API String ID: 0-2056031807
                                                                                                              • Opcode ID: 8734c0564f3d710426a82f41b04a6e114e14dc0268f676163fb24db830543f2b
                                                                                                              • Instruction ID: 7128d3bc0535adedfd6d645ecca3887590e83a9719f199989563485d37de0382
                                                                                                              • Opcode Fuzzy Hash: 8734c0564f3d710426a82f41b04a6e114e14dc0268f676163fb24db830543f2b
                                                                                                              • Instruction Fuzzy Hash: 50A29330B18A098FEB48EF28C899779B7E2FF98355F5445B9D40DD3391DE78A8818B41
                                                                                                              Function 00007FF7C14216E9 Relevance: 2.0, Strings: 1, Instructions: 795COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 582 7ff7c14216e9-7ff7c1421720 583 7ff7c1421f54-7ff7c1421f9b 582->583 584 7ff7c1421726-7ff7c1421855 call 7ff7c1420638 * 8 call 7ff7c1420a40 582->584 625 7ff7c1421857-7ff7c142185e 584->625 626 7ff7c142185f-7ff7c14218d6 call 7ff7c14204b8 call 7ff7c14204b0 call 7ff7c1420358 call 7ff7c1420368 584->626 625->626 641 7ff7c14218d8-7ff7c14218e2 626->641 642 7ff7c14218e9-7ff7c14218f9 626->642 641->642 645 7ff7c14218fb-7ff7c142191a call 7ff7c1420358 642->645 646 7ff7c1421921-7ff7c1421941 642->646 645->646 652 7ff7c1421952-7ff7c14219b6 call 7ff7c1421008 646->652 653 7ff7c1421943-7ff7c142194d call 7ff7c1420378 646->653 663 7ff7c14219bc-7ff7c1421a51 652->663 664 7ff7c1421a56-7ff7c1421ae4 652->664 653->652 683 7ff7c1421aeb-7ff7c1421c29 call 7ff7c1421320 call 7ff7c1420860 call 7ff7c1420388 call 7ff7c1420398 663->683 664->683 707 7ff7c1421c77-7ff7c1421caa 683->707 708 7ff7c1421c2b-7ff7c1421c5e 683->708 718 7ff7c1421cac-7ff7c1421ccd 707->718 719 7ff7c1421ccf-7ff7c1421cff 707->719 708->707 715 7ff7c1421c60-7ff7c1421c6d 708->715 715->707 720 7ff7c1421c6f-7ff7c1421c75 715->720 722 7ff7c1421d07-7ff7c1421d3e 718->722 719->722 720->707 728 7ff7c1421d40-7ff7c1421d61 722->728 729 7ff7c1421d63-7ff7c1421d93 722->729 731 7ff7c1421d9b-7ff7c1421e6a call 7ff7c14203a8 call 7ff7c14211e0 call 7ff7c14209e0 728->731 729->731 746 7ff7c1421e6b-7ff7c1421e82 call 7ff7c1421008 731->746 751 7ff7c1421e89-7ff7c1421ec8 746->751 752 7ff7c1421e84 call 7ff7c1421258 746->752 751->746 757 7ff7c1421eca-7ff7c1421f22 751->757 752->751
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2547850802.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_7ff7c1420000_msedge.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: CAO_^
                                                                                                              • API String ID: 0-3111533842
                                                                                                              • Opcode ID: 68149bae31ed992481fdbfe2e8792d682f3d5420e323d41fa1261dd15bbe8a1f
                                                                                                              • Instruction ID: b4088cb5237a9361c360190b5bb13fdea810fa90707ed6db6a5b308be8b44e05
                                                                                                              • Opcode Fuzzy Hash: 68149bae31ed992481fdbfe2e8792d682f3d5420e323d41fa1261dd15bbe8a1f
                                                                                                              • Instruction Fuzzy Hash: 4932B870F28A498FE798FB288859779B7D2FF89751F8445B9D00EC3382DD68B9818741
                                                                                                              Function 00007FF7C1422361 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2547850802.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_7ff7c1420000_msedge.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: H
                                                                                                              • API String ID: 0-2852464175
                                                                                                              • Opcode ID: aac758cb2f61a790ddfcd58b9b7fb32a0517b9e4654989ad8bab070fa548b6ec
                                                                                                              • Instruction ID: 76840e4f45925281a7f182c945e0e6953f756dc6e7bc5d7854dd0323423db625
                                                                                                              • Opcode Fuzzy Hash: aac758cb2f61a790ddfcd58b9b7fb32a0517b9e4654989ad8bab070fa548b6ec
                                                                                                              • Instruction Fuzzy Hash: 41C1B330F1C9094FEB98FB3888597B9B7D2FF98355F8441B9D40EC3292DE68A9814741
                                                                                                              Function 00007FF7C1427A41 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1025 7ff7c1427a41-7ff7c1427a59 1026 7ff7c1427a5b-7ff7c1427aa4 1025->1026 1027 7ff7c1427aa5-7ff7c1427afd CheckRemoteDebuggerPresent 1025->1027 1026->1027 1030 7ff7c1427aff 1027->1030 1031 7ff7c1427b05-7ff7c1427b48 1027->1031 1030->1031
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2547850802.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_7ff7c1420000_msedge.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CheckDebuggerPresentRemote
                                                                                                              • String ID:
                                                                                                              • API String ID: 3662101638-0
                                                                                                              • Opcode ID: 9128c2250a7c2c86825a1bf9fba5a13954c244febc73dbb43149ef5ad09e8d41
                                                                                                              • Instruction ID: 8bcf0fcee79e17e066164f5ab33109358cd2bc3f1860274aebae82ec91e72798
                                                                                                              • Opcode Fuzzy Hash: 9128c2250a7c2c86825a1bf9fba5a13954c244febc73dbb43149ef5ad09e8d41
                                                                                                              • Instruction Fuzzy Hash: CC41363190875C8FCB58DF5CC84A6E97BE0EF66321F0542ABD489D7292D734A846CB91
                                                                                                              Function 00007FF7C1426096 Relevance: .5, Instructions: 477COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2547850802.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_7ff7c1420000_msedge.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d4b63b01f771d837a6e61136cb7ae6ce94c0943642d9b3af0a5c2706ce0922c6
                                                                                                              • Instruction ID: d609d6125e20e73e66705e9cce0885319de83f2690a400922d23968edde06423
                                                                                                              • Opcode Fuzzy Hash: d4b63b01f771d837a6e61136cb7ae6ce94c0943642d9b3af0a5c2706ce0922c6
                                                                                                              • Instruction Fuzzy Hash: 78F1A230908A4D8FEBA8EF28C8557E977E1FF55310F44427ED84DC7296CB74A9818B91
                                                                                                              Function 00007FF7C1427242 Relevance: .5, Instructions: 463COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2547850802.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_7ff7c1420000_msedge.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a14f7f26358d75cce84f57d99dcfe2ae9ed1a8bcc94b9ee07bdf1766170e5532
                                                                                                              • Instruction ID: 1730f1242d43de27d7d5c90c6006ccaa8ddce7888c16e72955ce5e905bfee768
                                                                                                              • Opcode Fuzzy Hash: a14f7f26358d75cce84f57d99dcfe2ae9ed1a8bcc94b9ee07bdf1766170e5532
                                                                                                              • Instruction Fuzzy Hash: B6E1B530908A4E8FEBA8EF28C8567E977D1FF54311F44427ED84DC7291DE78A9858B81
                                                                                                              Function 00007FF7C14220C5 Relevance: .2, Instructions: 204COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2547850802.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_7ff7c1420000_msedge.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0f8e17aea611a06612453f5aad40ca4d41e03c3062cf7f4bc7c4267010e677a0
                                                                                                              • Instruction ID: beb2a00e9e4188997e81dce3e797d093cb13ee0664a3e8c94e6bdb2795338744
                                                                                                              • Opcode Fuzzy Hash: 0f8e17aea611a06612453f5aad40ca4d41e03c3062cf7f4bc7c4267010e677a0
                                                                                                              • Instruction Fuzzy Hash: B8512424A1DAC54FD786AB3858246B5BFE1EF87225B1801FBE0CDC71E3DD585846C352
                                                                                                              Function 00007FF7C142B0DD Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 829 7ff7c142b0dd-7ff7c142b1c0 RtlSetProcessIsCritical 832 7ff7c142b1c8-7ff7c142b1fd 829->832 833 7ff7c142b1c2 829->833 833->832
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2547850802.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_7ff7c1420000_msedge.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 2695349919-0
                                                                                                              • Opcode ID: 9db192118467dd9e5e3c8ab0eff81da2ada00fdbe88f62480c6c9cdfbd18d6e5
                                                                                                              • Instruction ID: df504afe29ac98a4e685e8f739b776a3926ffaa278fa9297d5c0f65278c7d242
                                                                                                              • Opcode Fuzzy Hash: 9db192118467dd9e5e3c8ab0eff81da2ada00fdbe88f62480c6c9cdfbd18d6e5
                                                                                                              • Instruction Fuzzy Hash: EE41B43190C6598FD719DF98D845BE9BBF0FF56311F04416ED08AC3692CB74A846CB91
                                                                                                              Function 00007FF7C142BFA8 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 941 7ff7c142bfa8-7ff7c142bfaf 942 7ff7c142bfba-7ff7c142c02d 941->942 943 7ff7c142bfb1-7ff7c142bfb9 941->943 946 7ff7c142c0b9-7ff7c142c0bd 942->946 947 7ff7c142c033-7ff7c142c040 942->947 943->942 948 7ff7c142c042-7ff7c142c07f SetWindowsHookExW 946->948 947->948 950 7ff7c142c087-7ff7c142c0b8 948->950 951 7ff7c142c081 948->951 951->950
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000005.00000002.2547850802.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_5_2_7ff7c1420000_msedge.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HookWindows
                                                                                                              • String ID:
                                                                                                              • API String ID: 2559412058-0
                                                                                                              • Opcode ID: 582666506b7a4a12375b83ae887cb7ec372ef500a3f74ef8ff3596a7a4ceb6a1
                                                                                                              • Instruction ID: 6cae76153934ed132960e721ebdb697d62120ad618caba25d527e70b4496ef50
                                                                                                              • Opcode Fuzzy Hash: 582666506b7a4a12375b83ae887cb7ec372ef500a3f74ef8ff3596a7a4ceb6a1
                                                                                                              • Instruction Fuzzy Hash: 0241EA71A1CA5D4FD758EF5C98066F9BBE1EB5A321F00427ED049C3292CE64B852C7D1

                                                                                                              Executed Functions

                                                                                                              Function 00007FF7C14F6605 Relevance: 1.7, Strings: 1, Instructions: 459COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1379199505.00007FF7C14F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff7c14f0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: X7$v
                                                                                                              • API String ID: 0-1180122859
                                                                                                              • Opcode ID: da42159f188f179b38f28c72009f239928e42c22ce17a4004f16ec7989fda611
                                                                                                              • Instruction ID: 91b2cc0d3e7f5a54056c5b128ec1245300331757ee2a950f9d8dba816af06277
                                                                                                              • Opcode Fuzzy Hash: da42159f188f179b38f28c72009f239928e42c22ce17a4004f16ec7989fda611
                                                                                                              • Instruction Fuzzy Hash: 52D15631A0EA8A4FEB55AF2898555B5BBE1FF06320B4401FFD04DC7293DA68EC06C361
                                                                                                              Function 00007FF7C142A0D3 Relevance: .4, Instructions: 424COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1378815961.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff7c1420000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f4d33b51af4b0b3efb082a5d6a01c74f868cf47393e80a7fdc68f6554095a000
                                                                                                              • Instruction ID: 3a957e6e08f4ba5f5d974e8ac4f6426a3141f72a4d5b77d2da084d594eea42fd
                                                                                                              • Opcode Fuzzy Hash: f4d33b51af4b0b3efb082a5d6a01c74f868cf47393e80a7fdc68f6554095a000
                                                                                                              • Instruction Fuzzy Hash: DA118E3690E7C84FD7039B3888251A07FB0EF57265B1A00F7D488CB1A3D5585D48C7A2
                                                                                                              Function 00007FF7C1429758 Relevance: .1, Instructions: 131COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1378815961.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff7c1420000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f2a21af3785394c738589aea99009dbc848a838977e5d16c7b843251c7639941
                                                                                                              • Instruction ID: 128222f7d40a0cc524cefc1466f429feb5e022eab2bb6da0391136af479f19f6
                                                                                                              • Opcode Fuzzy Hash: f2a21af3785394c738589aea99009dbc848a838977e5d16c7b843251c7639941
                                                                                                              • Instruction Fuzzy Hash: 94310B3191CB489FDB089F5CA8066F9BBE0FB99310F10416FE049C3252DA70A955CBC2
                                                                                                              Function 00007FF7C130E380 Relevance: .1, Instructions: 124COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1378320464.00007FF7C130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C130D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff7c130d000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b5a209b4f3f21157791f49004bb02b76290803db3faaaf501f39502ae4f41fc6
                                                                                                              • Instruction ID: 21f2d5ee9c7db6d95e9c036d6ba2e1cee5f5804a2104555dccf6909cdf026525
                                                                                                              • Opcode Fuzzy Hash: b5a209b4f3f21157791f49004bb02b76290803db3faaaf501f39502ae4f41fc6
                                                                                                              • Instruction Fuzzy Hash: 99411F7090DBC44FE7569B29A845A527FF0EF52324B1506FFD088CB1A3D625A84AC7A2
                                                                                                              Function 00007FF7C142A62C Relevance: .1, Instructions: 116COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1378815961.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff7c1420000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c603362ca93bc720f0c4f3dff12558263e88be7a35e2876edaee534bd5208d80
                                                                                                              • Instruction ID: 27c11be7f525b4b8613cc5e59a3510896b18c57285948f44d3dd68b5f55fd645
                                                                                                              • Opcode Fuzzy Hash: c603362ca93bc720f0c4f3dff12558263e88be7a35e2876edaee534bd5208d80
                                                                                                              • Instruction Fuzzy Hash: 0531F57190CB4C8FDB58DF68984A6E9BBF0EB96331F00426BD049C3152DA75A45ACB91
                                                                                                              Function 00007FF7C14233B5 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1378815961.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff7c1420000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5452972440b088680c217b963b1a50e0dcdb6edb0792cd037db7f5cda9f0668a
                                                                                                              • Instruction ID: cf99216363b0fefa2d9b7b0daa6fcaa533c017070b5f9b6ae669e90cbb22f535
                                                                                                              • Opcode Fuzzy Hash: 5452972440b088680c217b963b1a50e0dcdb6edb0792cd037db7f5cda9f0668a
                                                                                                              • Instruction Fuzzy Hash: 8B01A73010CB0C4FD748EF0CE451AA5B3E0FB99360F10056EE58AC3661DA32E892CB41
                                                                                                              Function 00007FF7C14F414D Relevance: .0, Instructions: 37COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1379199505.00007FF7C14F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff7c14f0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 18f2e0e9746364789e84b010535b8301d992829d7a8db2a7dac11b64ba094b06
                                                                                                              • Instruction ID: efa581b4fc50c65ccf904b8af3a1c57a7b5608526d543af0b9590ef8f2c50c70
                                                                                                              • Opcode Fuzzy Hash: 18f2e0e9746364789e84b010535b8301d992829d7a8db2a7dac11b64ba094b06
                                                                                                              • Instruction Fuzzy Hash: B1F0BE32A0CA048FD758EB0CE4044A8B7E0EF5433075500BAE05DC76A3CE25EC848754
                                                                                                              Function 00007FF7C14F4400 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1379199505.00007FF7C14F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff7c14f0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f3ef73cf3a039930b9a90276d2deb6c99913dde5823ceeab5e645c9c8e168221
                                                                                                              • Instruction ID: 2fbdc7aa7fad1b372a938eb6052b1b714b6ac0cf07d5a335ea735ec09bb5e3ef
                                                                                                              • Opcode Fuzzy Hash: f3ef73cf3a039930b9a90276d2deb6c99913dde5823ceeab5e645c9c8e168221
                                                                                                              • Instruction Fuzzy Hash: 8AF05E31A0C5448FD754EB1CE4414B8B7E0FF4532079500B6E159C76A3DA26EC448764
                                                                                                              Function 00007FF7C14F41D1 Relevance: .0, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1379199505.00007FF7C14F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C14F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff7c14f0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                              • Instruction ID: c38a5265258ffd7284b86f1177dac0426a699aa93155beab9e2cdf5727f5e65f
                                                                                                              • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                              • Instruction Fuzzy Hash: 70E04F31B0C8088FDBA8EE0CE1449E9B3E1EF9833175501B7D14EC7661CA22ED51CB94

                                                                                                              Non-executed Functions

                                                                                                              Function 00007FF7C1428BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000007.00000002.1378815961.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_7_2_7ff7c1420000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: N_^4$N_^7$N_^F$N_^J
                                                                                                              • API String ID: 0-3508309026
                                                                                                              • Opcode ID: eafd3b313e7fad8c214e9a181eb89bab8aa67dcd7a7cfaa920db0e5adb94a3ed
                                                                                                              • Instruction ID: f68b62f475e26277dd9ab9c121a828c5bc16db7db6e87ea37737e39fbc600ebb
                                                                                                              • Opcode Fuzzy Hash: eafd3b313e7fad8c214e9a181eb89bab8aa67dcd7a7cfaa920db0e5adb94a3ed
                                                                                                              • Instruction Fuzzy Hash: 9D2129B77080254FD3017BBDBC187D97780DF9A37574501B2D2A9CB393E914708686D1

                                                                                                              Executed Functions

                                                                                                              Function 00007FF7C152660A Relevance: .4, Instructions: 436COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1479467840.00007FF7C1520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1520000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff7c1520000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e56348035a6330684b9b38a24f27cdb9bfe31db5f10ab0556eaba08575a9bab6
                                                                                                              • Instruction ID: be9592509c5a3f469295f4ea067a07cee32dcc7816ecfdb69f5070f55be04d3b
                                                                                                              • Opcode Fuzzy Hash: e56348035a6330684b9b38a24f27cdb9bfe31db5f10ab0556eaba08575a9bab6
                                                                                                              • Instruction Fuzzy Hash: 96D14672A0DA894FE759AB2868145B9BBE1FF05360B4801FED84DC71E3DA64EC06C361
                                                                                                              Function 00007FF7C152664D Relevance: .2, Instructions: 247COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1479467840.00007FF7C1520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1520000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff7c1520000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 40b1f1e5c78a91ef276057c7a0e1c0834d21b00a18650d5ac3cc7cedd3cf590c
                                                                                                              • Instruction ID: eac503d5366ffa79f7300e4702de13ec3d5ba9f28438831a3ce80568d51ff8ed
                                                                                                              • Opcode Fuzzy Hash: 40b1f1e5c78a91ef276057c7a0e1c0834d21b00a18650d5ac3cc7cedd3cf590c
                                                                                                              • Instruction Fuzzy Hash: 9F811672E0EAC64FE755AF286450579BBE1EF05324B8901FEC84DCB1E3DD94AC068361
                                                                                                              Function 00007FF7C1459780 Relevance: .1, Instructions: 127COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1478723987.00007FF7C1450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1450000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff7c1450000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 758837869156dcc34b9aa6c6f6e98fc092dbcb4dcfcb9ad102960d97fbfe7c79
                                                                                                              • Instruction ID: 5f0b87f67ea5114a8cffc3540081e833fe8688e41613dadac468e54510b8bb1f
                                                                                                              • Opcode Fuzzy Hash: 758837869156dcc34b9aa6c6f6e98fc092dbcb4dcfcb9ad102960d97fbfe7c79
                                                                                                              • Instruction Fuzzy Hash: FE31C97191CB489FDB189F5CAC066A9BBE0FB99311F00426FE449D3252CA70A955CBC2
                                                                                                              Function 00007FF7C145A49C Relevance: .1, Instructions: 101COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1478723987.00007FF7C1450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1450000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff7c1450000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9225615404d4a8da5d514f8eacd87b87205233b3424973fd21e8a23f11bef550
                                                                                                              • Instruction ID: 7c183f3e06a7450dd1162b5a9345af2466b845d1ddb347511815260b1b2e88a8
                                                                                                              • Opcode Fuzzy Hash: 9225615404d4a8da5d514f8eacd87b87205233b3424973fd21e8a23f11bef550
                                                                                                              • Instruction Fuzzy Hash: 0121E63190CB4C4FDB59DFAC984A7E97BE0EB96331F04426BD449C3152DA74A81ACB91
                                                                                                              Function 00007FF7C133E5CA Relevance: .0, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1477932335.00007FF7C133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C133D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff7c133d000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 50cd4315919b270a175990bbf51f497002b30e56e93ef7721a8ec34ac657f87a
                                                                                                              • Instruction ID: 45e020278ba70fa4c15a19219dd4ba19373ac94c9a8fa3a09ad8394d5a80ef59
                                                                                                              • Opcode Fuzzy Hash: 50cd4315919b270a175990bbf51f497002b30e56e93ef7721a8ec34ac657f87a
                                                                                                              • Instruction Fuzzy Hash: 9501A23160CE08CF9768EF2DE04699577D0FB4433575005BED149CB1A6DA31F886CB95
                                                                                                              Function 00007FF7C14533B5 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1478723987.00007FF7C1450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1450000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff7c1450000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                              • Instruction ID: 6658d0e6fbc243bc48614a63e7b3be1e782d70a082428a99f0505a8330d5213c
                                                                                                              • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                              • Instruction Fuzzy Hash: 6101677111CB0C4FD744EF0CE451AA5B7E0FB95364F50056EE58AC3661DA36E892CB45
                                                                                                              Function 00007FF7C145A0FB Relevance: .0, Instructions: 39COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1478723987.00007FF7C1450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1450000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff7c1450000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c955350a2de446143591471f9e508df0891642eac1651162d964db889364c69f
                                                                                                              • Instruction ID: 037d838e50d9d6b51b776eb23adf6bea7bf8e26b6fcb2f20d778e46f8e74b95b
                                                                                                              • Opcode Fuzzy Hash: c955350a2de446143591471f9e508df0891642eac1651162d964db889364c69f
                                                                                                              • Instruction Fuzzy Hash: 0BF0F67690DE8C4FD745EF2C98690D8BF90FFA5214B0402FBE948C71A2DA608908C7C1
                                                                                                              Function 00007FF7C133E5DC Relevance: .0, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1477932335.00007FF7C133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C133D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff7c133d000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dc7e21d9303cc76214bba001a69a500b726fe84fa74f03594ec533b599059778
                                                                                                              • Instruction ID: 2a0231042eabcffa7904ce24378125a7cfd802a0afa5004d65a5b18ca9a3b256
                                                                                                              • Opcode Fuzzy Hash: dc7e21d9303cc76214bba001a69a500b726fe84fa74f03594ec533b599059778
                                                                                                              • Instruction Fuzzy Hash: E7F01D30518E08CFDB94EF2DC485D1277E1FB983147510669D44EC72A5D674F882CB90
                                                                                                              Function 00007FF7C152414D Relevance: .0, Instructions: 37COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1479467840.00007FF7C1520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1520000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff7c1520000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fc9429a799b848d4ec318a1379a0def00a49254129d43c65d7485515947b0be1
                                                                                                              • Instruction ID: d1918c01550d4589198f321ae7093ea665b60d00455100031a214e61f7415cfd
                                                                                                              • Opcode Fuzzy Hash: fc9429a799b848d4ec318a1379a0def00a49254129d43c65d7485515947b0be1
                                                                                                              • Instruction Fuzzy Hash: 72F0BE32A0C9448FE768EB4CF4014A8B7E0EF54330B6100FAE05DC75A3CA26EC80C750
                                                                                                              Function 00007FF7C1524400 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1479467840.00007FF7C1520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1520000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff7c1520000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 39d327e2b166964b79f06231a345b8a423e9416354b30019af9095240234526e
                                                                                                              • Instruction ID: 2d60c364160499843bfeeb511aafaeb5e4810f4c6a10a6953a78e874e54b6b6b
                                                                                                              • Opcode Fuzzy Hash: 39d327e2b166964b79f06231a345b8a423e9416354b30019af9095240234526e
                                                                                                              • Instruction Fuzzy Hash: 09F05872A0C5448FE758EB5CF4418B8BBE0FF45320B9500F6E159CB5A3DA26AC84C7A0
                                                                                                              Function 00007FF7C15241D1 Relevance: .0, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1479467840.00007FF7C1520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1520000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff7c1520000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                              • Instruction ID: 4b4c737a51420f7df1e598dfa80bad9af48b11eff2749f9d10292fb31ffb703d
                                                                                                              • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                              • Instruction Fuzzy Hash: C5E01A32B0C8088FEB68EE0CF0409A9B3E1EB9833176101B7D14EC7571CA22EC518B90

                                                                                                              Non-executed Functions

                                                                                                              Function 00007FF7C1458BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.1478723987.00007FF7C1450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1450000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_7ff7c1450000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: K_^8$K_^<$K_^?$K_^J$K_^K$K_^N$K_^Q$K_^Y
                                                                                                              • API String ID: 0-2350917820
                                                                                                              • Opcode ID: 4d511a56c9d75752d4573350cecfee82ab797f1e65113e8d56fb972c6edfed05
                                                                                                              • Instruction ID: 8ffa11d8b7012587092717c61c6f230ae36f763c2b0c1d5b67ed59f0423bc707
                                                                                                              • Opcode Fuzzy Hash: 4d511a56c9d75752d4573350cecfee82ab797f1e65113e8d56fb972c6edfed05
                                                                                                              • Instruction Fuzzy Hash: DB21C2B3A489155ADB02366DBC457D8A7D1DB5A3B934502F3E029DF263D914B48B8A80

                                                                                                              Executed Functions

                                                                                                              Function 00007FF7C151660A Relevance: .4, Instructions: 436COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.1623263618.00007FF7C1510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1510000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_7ff7c1510000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d3f1a33bb3133b0d6d42db3bf5afaf14982642fb6867cbdfd06236968fd76d9c
                                                                                                              • Instruction ID: 815ddf2541b57bcf239e1cb2d9d4314de95310654140cb6de27a4f2ff48b9469
                                                                                                              • Opcode Fuzzy Hash: d3f1a33bb3133b0d6d42db3bf5afaf14982642fb6867cbdfd06236968fd76d9c
                                                                                                              • Instruction Fuzzy Hash: CED17931A0DAC95FE756AB2868145B5FBE0FF06320B5901FED44DC71E3DA98AC06C361
                                                                                                              Function 00007FF7C144A0FB Relevance: .3, Instructions: 254COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.1622006135.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_7ff7c1440000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 46e3533d2e2dc9637588e8a677f57d98f99887189ab59f9d3d2a95ccb19767fe
                                                                                                              • Instruction ID: 9a308cbd31c13a0c23405104998744a65092c62e4c3d55c24434c0db75f04d08
                                                                                                              • Opcode Fuzzy Hash: 46e3533d2e2dc9637588e8a677f57d98f99887189ab59f9d3d2a95ccb19767fe
                                                                                                              • Instruction Fuzzy Hash: 1D119AA690EBC84FC7439F385C690A4BFB0EE63251B1A00FBD489CF1B3D5191909C7A2
                                                                                                              Function 00007FF7C1449758 Relevance: .1, Instructions: 140COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.1622006135.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_7ff7c1440000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f72f137e8209cdb8acf136359809a9f7d32cc5ed0512cc90f7f7007cdd322eeb
                                                                                                              • Instruction ID: d074e20f137f540097ff679383775747cf5cbd977a275bb17bf839b63d773706
                                                                                                              • Opcode Fuzzy Hash: f72f137e8209cdb8acf136359809a9f7d32cc5ed0512cc90f7f7007cdd322eeb
                                                                                                              • Instruction Fuzzy Hash: C4411C31A1CA889FD70CDF5CA8066B9BBE0FB59710F40417FD049C3252DA74A915CBC6
                                                                                                              Function 00007FF7C132EB80 Relevance: .1, Instructions: 124COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.1621031119.00007FF7C132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C132D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_7ff7c132d000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1ea54ad4fb1a7aac5206c5b6af1a8a4ed54f0a2ab62e3d2e31129abe4599ee0e
                                                                                                              • Instruction ID: 7101b8b273fa576378254ff6140e81fad260aebb18af8ff03ce9c32a63c40a11
                                                                                                              • Opcode Fuzzy Hash: 1ea54ad4fb1a7aac5206c5b6af1a8a4ed54f0a2ab62e3d2e31129abe4599ee0e
                                                                                                              • Instruction Fuzzy Hash: 7441273040DBC44FD756AF3898829627FF0EF57324B1505EFD089CB1A3D625A846C7A2
                                                                                                              Function 00007FF7C144A6D5 Relevance: .1, Instructions: 98COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.1622006135.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_7ff7c1440000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 79d413e5581cc60a456d97b04cfb9e5ab86ea0d12ce9b61bda15ca9475ea695c
                                                                                                              • Instruction ID: 54d5e4526e6d82ad73c4d04f77d018b9d56017b50b6a79dda38161a5c894edd3
                                                                                                              • Opcode Fuzzy Hash: 79d413e5581cc60a456d97b04cfb9e5ab86ea0d12ce9b61bda15ca9475ea695c
                                                                                                              • Instruction Fuzzy Hash: 9621383190CA4C4FDB68DF5C984A6FA7FE0EB96331F14426FD049C31A2D9656417C791
                                                                                                              Function 00007FF7C14433B5 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.1622006135.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_7ff7c1440000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 70aa00635f972a6bac396fc46e5d72351287b17824183693041b1918d6b4f3e0
                                                                                                              • Instruction ID: c54b69891657694dda353fc0010de74ef287e9e7fb1097bd9f3af1f3cf9f17db
                                                                                                              • Opcode Fuzzy Hash: 70aa00635f972a6bac396fc46e5d72351287b17824183693041b1918d6b4f3e0
                                                                                                              • Instruction Fuzzy Hash: BA01677111CB0C4FD744EF0CE451AA5B7E0FB95364F50056EE58AC3661DA36E892CB45
                                                                                                              Function 00007FF7C151414D Relevance: .0, Instructions: 37COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.1623263618.00007FF7C1510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1510000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_7ff7c1510000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 080fbdc0adcc0d92309ed0be20b2c44677638f8b716013ce2197791c0f06e33b
                                                                                                              • Instruction ID: 04b09cf21e16be7ae2fa40c43e516631c64f5e21337533edd8f3dcaa600e9c54
                                                                                                              • Opcode Fuzzy Hash: 080fbdc0adcc0d92309ed0be20b2c44677638f8b716013ce2197791c0f06e33b
                                                                                                              • Instruction Fuzzy Hash: 62F0BE32A4C9458FD759EB0CF8018E8B7E0EF5533076200BAE05EC71A3CB25EC848750
                                                                                                              Function 00007FF7C1514400 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.1623263618.00007FF7C1510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1510000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_7ff7c1510000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 578703d8f15d2bfe5791bde913939f3086d3f70b7d4fb1e12914d48c055521c2
                                                                                                              • Instruction ID: 214d6d65265e0628ff81907efd2168e4a3b91243bb87c9061a44dcff554f2066
                                                                                                              • Opcode Fuzzy Hash: 578703d8f15d2bfe5791bde913939f3086d3f70b7d4fb1e12914d48c055521c2
                                                                                                              • Instruction Fuzzy Hash: C3F05E32A4C5448FD755EB1CF4418A8B7E0FF4532079610B6E15AC75A3DB65AC44C760
                                                                                                              Function 00007FF7C15141D1 Relevance: .0, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.1623263618.00007FF7C1510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1510000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_7ff7c1510000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                              • Instruction ID: 3e9c6f5e31ea3d068cb85f171b962aee88928ada936acf47a782e1c77df232ea
                                                                                                              • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                              • Instruction Fuzzy Hash: E2E0E531B4C8098F9B69EA0CF0409A9B3E1EB9833176211B6D14EC7561CB22EC518B90

                                                                                                              Non-executed Functions

                                                                                                              Function 00007FF7C1448BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000D.00000002.1622006135.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_13_2_7ff7c1440000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: L_^4$L_^7$L_^F$L_^J
                                                                                                              • API String ID: 0-3225005683
                                                                                                              • Opcode ID: 913f187ea285faff4938319d75f33918dbdaf0f39a188b2b632093a72b0c74d8
                                                                                                              • Instruction ID: bef83125966de9e06c503334940bd13b21d834a66fd8b99228bd42f8c9cfc198
                                                                                                              • Opcode Fuzzy Hash: 913f187ea285faff4938319d75f33918dbdaf0f39a188b2b632093a72b0c74d8
                                                                                                              • Instruction Fuzzy Hash: C021F9B77085255FD3017BBDBC097ED7780CF9A37534551B2D2A98B253EA1470868AD0

                                                                                                              Executed Functions

                                                                                                              Function 00007FF7C1506657 Relevance: 1.6, Strings: 1, Instructions: 386COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000F.00000002.1840211730.00007FF7C1500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1500000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_15_2_7ff7c1500000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: X7!
                                                                                                              • API String ID: 0-782462255
                                                                                                              • Opcode ID: 824edd696b78d81438471e00cf636656412d256be7a7040f4b30a72415774756
                                                                                                              • Instruction ID: 64b5766f47b178a873ab105b9b5be2a567c125a59d73e77ec05f4224706bc13f
                                                                                                              • Opcode Fuzzy Hash: 824edd696b78d81438471e00cf636656412d256be7a7040f4b30a72415774756
                                                                                                              • Instruction Fuzzy Hash: 38C14771A0DA8A4FEB55AF6868155B9FBE1FF05364B4801FED00DC71E3EA64AC06C361
                                                                                                              Function 00007FF7C131F360 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000F.00000002.1837486563.00007FF7C131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C131D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_15_2_7ff7c131d000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 7D62
                                                                                                              • API String ID: 0-2061564653
                                                                                                              • Opcode ID: d990649a81017f1c1b5001639512a923c8b52e753eab90d0a3aabd67358ea719
                                                                                                              • Instruction ID: 57a995dc42afd371cc64fa955b4591327d3638e6a3ea46b4926be449de1728bc
                                                                                                              • Opcode Fuzzy Hash: d990649a81017f1c1b5001639512a923c8b52e753eab90d0a3aabd67358ea719
                                                                                                              • Instruction Fuzzy Hash: AD41257040DBC04FE7569B39DC41A523FF0EF52324B1606EFD088CB0A3D625A84AC7A2
                                                                                                              Function 00007FF7C143977F Relevance: .1, Instructions: 127COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000F.00000002.1839032136.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_15_2_7ff7c1430000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4df8f4bc4b622c0380eebd988534c9a84a45a260505e6fa92639461f547371db
                                                                                                              • Instruction ID: 6b4cd9df0b50805d8dd7b0902e26a6869fad6de460fbe152151888be4e522333
                                                                                                              • Opcode Fuzzy Hash: 4df8f4bc4b622c0380eebd988534c9a84a45a260505e6fa92639461f547371db
                                                                                                              • Instruction Fuzzy Hash: 3731FA7191CB888FDB19DF1CAC066A97BF0FB99710F00426FE449D3252CA70A815CBC2
                                                                                                              Function 00007FF7C143A49C Relevance: .1, Instructions: 99COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000F.00000002.1839032136.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_15_2_7ff7c1430000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d3e12c6e61a14d00afea038f6eea154446e4529e43b2d7bc8200abc77ba53fb5
                                                                                                              • Instruction ID: 0b5d62764f5661c3e26e35528b3dc71cf2c73ab6b0a595df7d0fbb8646635129
                                                                                                              • Opcode Fuzzy Hash: d3e12c6e61a14d00afea038f6eea154446e4529e43b2d7bc8200abc77ba53fb5
                                                                                                              • Instruction Fuzzy Hash: C521D73190C74C4FDB59DF68984A7E97FE0EB96331F04416BD449C3152DA74A41ACB92
                                                                                                              Function 00007FF7C1506806 Relevance: .1, Instructions: 65COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000F.00000002.1840211730.00007FF7C1500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1500000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_15_2_7ff7c1500000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e11ad60a15ced8c709dd6b2170f1b43bad92ca2c8813d6f45ff906e5cf6fbc31
                                                                                                              • Instruction ID: c0240e1c3970592cc1cc06a02ed708297eb714fe522dd185cfc6ca2f651c01f0
                                                                                                              • Opcode Fuzzy Hash: e11ad60a15ced8c709dd6b2170f1b43bad92ca2c8813d6f45ff906e5cf6fbc31
                                                                                                              • Instruction Fuzzy Hash: 4311E7B1E0DA898FEB58EF98A090279F7D1EF48321F9401BEC04DD71D3DE25A8468361
                                                                                                              Function 00007FF7C14333B5 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000F.00000002.1839032136.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_15_2_7ff7c1430000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                              • Instruction ID: 3c51e4c4f3955faf83e41b9041cfc47b18711a59c176f735775c2e75df53298d
                                                                                                              • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                              • Instruction Fuzzy Hash: 9701677111CB0C4FD744EF0CE451AA5B7E0FB95364F50056EE58AC3661DA36E892CB45
                                                                                                              Function 00007FF7C143A0FB Relevance: .0, Instructions: 39COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000F.00000002.1839032136.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_15_2_7ff7c1430000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: daf1c7f05d3f69196456b6fa2bdc74e6e7579b6c2a84cec7c7b2d9ee4b7f37ab
                                                                                                              • Instruction ID: 69410d30cf87dd63cfc778c05c4e41f0396d7611e7b1de572cfd1b52ef9ae414
                                                                                                              • Opcode Fuzzy Hash: daf1c7f05d3f69196456b6fa2bdc74e6e7579b6c2a84cec7c7b2d9ee4b7f37ab
                                                                                                              • Instruction Fuzzy Hash: 88F0F076608A8D8FCB05EF2C98540E8BFA0FF66211B0102EBD448C3121CB619918CBC1
                                                                                                              Function 00007FF7C150414D Relevance: .0, Instructions: 37COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000F.00000002.1840211730.00007FF7C1500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1500000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_15_2_7ff7c1500000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 12d27afef36e1df23f04a524f158a8dd41a59dda260aa5d983b2b8157f720718
                                                                                                              • Instruction ID: 006a37a1bb6792ebbe3730506d6615855161c321eee6706b5a23a8a321b52bf1
                                                                                                              • Opcode Fuzzy Hash: 12d27afef36e1df23f04a524f158a8dd41a59dda260aa5d983b2b8157f720718
                                                                                                              • Instruction Fuzzy Hash: 21F0BE32A0C9448FD759EB4CF4008A8B7E0EF54330B9100BAE05DC71A3DA25EC808750
                                                                                                              Function 00007FF7C1504400 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000F.00000002.1840211730.00007FF7C1500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1500000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_15_2_7ff7c1500000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 95bab0e1e5783e0b989cdd4cdd388a8a4a501fb1425851054503d4f273a9e021
                                                                                                              • Instruction ID: 958333899e9190135e4e45a4f89157033cf1a00bd1b9cc0a6cb3e3a4e3d0d5c3
                                                                                                              • Opcode Fuzzy Hash: 95bab0e1e5783e0b989cdd4cdd388a8a4a501fb1425851054503d4f273a9e021
                                                                                                              • Instruction Fuzzy Hash: 03F05E31A0C5448FD755EB5CF4418A8B7E0FF45321B9600B6E159C7563DA65AC548760

                                                                                                              Non-executed Functions

                                                                                                              Function 00007FF7C15011A8 Relevance: .1, Instructions: 73COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000F.00000002.1840211730.00007FF7C1500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1500000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_15_2_7ff7c1500000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 850200b52e7b3945c66b28e52148dddc0f97d0e7cd6181eb6b64c6e244d8790d
                                                                                                              • Instruction ID: a08950379540c83e99c1143cf0ee99fb4c6bb6d6f96eb20e954d39f988f4fb66
                                                                                                              • Opcode Fuzzy Hash: 850200b52e7b3945c66b28e52148dddc0f97d0e7cd6181eb6b64c6e244d8790d
                                                                                                              • Instruction Fuzzy Hash: 37219D9284E7C54FD317AB741CB00A4BF70AF1312470E00FBC485CB4E3E9485949C7A2
                                                                                                              Function 00007FF7C1438BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000F.00000002.1839032136.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_15_2_7ff7c1430000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                                                                              • API String ID: 0-962139525
                                                                                                              • Opcode ID: 32ba26589fa0e7a62dd8a312b3dc4cc8d233eb561294beb8cf2edc3a6d3793b8
                                                                                                              • Instruction ID: 8cf7ccbb878e7b045ccd28b96b6317aa984029743ee9b46e3b9edad138417fe4
                                                                                                              • Opcode Fuzzy Hash: 32ba26589fa0e7a62dd8a312b3dc4cc8d233eb561294beb8cf2edc3a6d3793b8
                                                                                                              • Instruction Fuzzy Hash: A321C5B36445158AD301366CBC45BD8B7C0DF5A3B938603F3E029CF2A3E918B4878A81

                                                                                                              Executed Functions

                                                                                                              Function 00007FF7C14416E9 Relevance: .8, Instructions: 795COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000015.00000002.1918185414.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_21_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dbd7e464b80d20aa2044c3492fd63faae5117d2e8f54b9395b40b0e413a4cf4b
                                                                                                              • Instruction ID: 5cbee69153214008bfc6eb9ce9473aaf9d5aeff5f6191c5f015b05487c548718
                                                                                                              • Opcode Fuzzy Hash: dbd7e464b80d20aa2044c3492fd63faae5117d2e8f54b9395b40b0e413a4cf4b
                                                                                                              • Instruction Fuzzy Hash: A132B370F28A498FE798FB2888597B9B7D2FF89751F840579D40EC3392DE68B8018741
                                                                                                              Function 00007FF7C1440E5E Relevance: .3, Instructions: 278COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000015.00000002.1918185414.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_21_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0a9191e0be67b7f9d9419e25f73a58c62cb0a278610e67622979574b81935319
                                                                                                              • Instruction ID: 81f3996ffe7bf632d087a400332fc91c3a1b35f9cd3a64d820e5df059c0ac407
                                                                                                              • Opcode Fuzzy Hash: 0a9191e0be67b7f9d9419e25f73a58c62cb0a278610e67622979574b81935319
                                                                                                              • Instruction Fuzzy Hash: 6071F422A1D6960FE352B73C68196F96BD1DF8737570842BAD0CDCB2E3DC4868878391
                                                                                                              Function 00007FF7C14420C5 Relevance: .2, Instructions: 204COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000015.00000002.1918185414.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_21_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 784f81c24fbfe53ddff6021465d6732f19cc868aaad7fc6f536df7ab542658a4
                                                                                                              • Instruction ID: 17bace0e8b6ae2e7d22fa3f9fa8a7ea9ba25f4956fe259df340553e8bc501fd4
                                                                                                              • Opcode Fuzzy Hash: 784f81c24fbfe53ddff6021465d6732f19cc868aaad7fc6f536df7ab542658a4
                                                                                                              • Instruction Fuzzy Hash: C2512320A1EAC94FD786AB3858246B5BFE1EF87225B0801FBE0CDC71A3DD585846C352
                                                                                                              Function 00007FF7C14407F2 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000015.00000002.1918185414.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_21_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ;M_$<M_^
                                                                                                              • API String ID: 0-3421805066
                                                                                                              • Opcode ID: f511d181056197612e287b1d3a672507d337683f22e685c0726ae87d342ba336
                                                                                                              • Instruction ID: ad2ffd035e0d0c1c4ac0bb013e53a91239db8e4271bc2d304e8ee522276bb503
                                                                                                              • Opcode Fuzzy Hash: f511d181056197612e287b1d3a672507d337683f22e685c0726ae87d342ba336
                                                                                                              • Instruction Fuzzy Hash: 17411732F491495FD740FB2CE8A5AE9BBB2EF8635678445B5D009CB393CE247405C741
                                                                                                              Function 00007FF7C1441320 Relevance: .4, Instructions: 432COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000015.00000002.1918185414.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_21_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 233b927b6dff3a84f05a32d26d022e9792f052266d51a677ff9cb7eb579986f2
                                                                                                              • Instruction ID: 0473298ced2048b5c01cf7693b2be0298110e0820cf5b9007a994a174dceead9
                                                                                                              • Opcode Fuzzy Hash: 233b927b6dff3a84f05a32d26d022e9792f052266d51a677ff9cb7eb579986f2
                                                                                                              • Instruction Fuzzy Hash: 3131B171E1890E9FDB40AB28D8652EDFB71FF89315F8007B6C40AE3392CE3469168790
                                                                                                              Function 00007FF7C1440AFA Relevance: .2, Instructions: 204COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000015.00000002.1918185414.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_21_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d09d88067caa6c5e2ab8f7d9819ef8bf651a8070fbb5cd81fd480771b94a5538
                                                                                                              • Instruction ID: c7601e05fd2830d6eb43ff09841e2bd61fc9d63f9508a7115f590cd445d27278
                                                                                                              • Opcode Fuzzy Hash: d09d88067caa6c5e2ab8f7d9819ef8bf651a8070fbb5cd81fd480771b94a5538
                                                                                                              • Instruction Fuzzy Hash: D751B372F0951E8BEB40BFACE8556ECB3A1FF89366B54427AD009C7392CE35B4418794
                                                                                                              Function 00007FF7C1440B6F Relevance: .2, Instructions: 158COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000015.00000002.1918185414.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_21_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3e13f1bd784e1ad86cea750aee3cf7adfa0c77876f63fde75a9f51b20dbb27ba
                                                                                                              • Instruction ID: f6d93c02dc3b6b6b577855aa4a7bbf2f6d344a7863d017b7043392f7090473cf
                                                                                                              • Opcode Fuzzy Hash: 3e13f1bd784e1ad86cea750aee3cf7adfa0c77876f63fde75a9f51b20dbb27ba
                                                                                                              • Instruction Fuzzy Hash: 3541A172F0591E9FDB44FB68D8556EDB7A2FF89322B90467AD009C7382CE35A446C780
                                                                                                              Function 00007FF7C1440638 Relevance: .1, Instructions: 133COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000015.00000002.1918185414.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_21_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 479c44332af273a0c94c32bccc8467d96f8dffc803f55abfd02699baa973bb1a
                                                                                                              • Instruction ID: 0bc03ffe6a6d0b8fcac22c331f8e75277ebb68fec1de8c37a16fbb69dc74682d
                                                                                                              • Opcode Fuzzy Hash: 479c44332af273a0c94c32bccc8467d96f8dffc803f55abfd02699baa973bb1a
                                                                                                              • Instruction Fuzzy Hash: F1319521B18D494FE798EB2C9859779B7D2EF99365F4406BEE00EC3393DE68AC418341
                                                                                                              Function 00007FF7C1440D48 Relevance: .1, Instructions: 85COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000015.00000002.1918185414.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_21_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a7eb5003709a90b7de4cd182ed8ad8abeab1c55cefe5daa0533014eea9c90fd5
                                                                                                              • Instruction ID: aaf7c79ef43cf96ed128538e545936287c867654975be636b6b6dc8e875e6c6e
                                                                                                              • Opcode Fuzzy Hash: a7eb5003709a90b7de4cd182ed8ad8abeab1c55cefe5daa0533014eea9c90fd5
                                                                                                              • Instruction Fuzzy Hash: 50214F61B14D0A4BFB84BBAC581E3FCB2D2EF9D762F500276E50EC3386DD28A8424751
                                                                                                              Function 00007FF7C144086D Relevance: .1, Instructions: 77COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000015.00000002.1918185414.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_21_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4a84b754bc4b6eff918a145bb7dd6dc6af40e8987a549e3a97992fa5596b22fc
                                                                                                              • Instruction ID: 172b8840b73ec3cd67a4338cdbcc6a2f6e112c41537157b18fa5acaaf0d9773b
                                                                                                              • Opcode Fuzzy Hash: 4a84b754bc4b6eff918a145bb7dd6dc6af40e8987a549e3a97992fa5596b22fc
                                                                                                              • Instruction Fuzzy Hash: B8217161E5954D6FE780EB6CD4A8AA9BF73FF88302BD48564D40AC3386CE746901C751
                                                                                                              Function 00007FF7C1442291 Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000015.00000002.1918185414.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_21_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 304d819303c019ce8aac7850559574b04a12ffd5c2a3849da11678cf5adb81a3
                                                                                                              • Instruction ID: 456649afa16209183376bc0d0aa5bc16d427f36c00becbc77e4e2665353f3039
                                                                                                              • Opcode Fuzzy Hash: 304d819303c019ce8aac7850559574b04a12ffd5c2a3849da11678cf5adb81a3
                                                                                                              • Instruction Fuzzy Hash: 0C01F714D0C6850FF791BB386C55972BFE0EFD5261B8805BBD888D71D7D848AA4483A2

                                                                                                              Executed Functions

                                                                                                              Function 00007FF7C14416E9 Relevance: .8, Instructions: 795COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000016.00000002.2033001282.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_22_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3aac7a4fde180d502efec8288ab02733e9ad6b078d930664b1d3bb82a4ebf6df
                                                                                                              • Instruction ID: 8602c807e97a5c7b47071e12487fde4f671c770ca5223f1365853ab2e2e03d9a
                                                                                                              • Opcode Fuzzy Hash: 3aac7a4fde180d502efec8288ab02733e9ad6b078d930664b1d3bb82a4ebf6df
                                                                                                              • Instruction Fuzzy Hash: D032B670F18A4A8FE794FB2C88596B9B7D2FF89751F844579D04EC3392DE68B8028741
                                                                                                              Function 00007FF7C1440E5E Relevance: .3, Instructions: 278COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000016.00000002.2033001282.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_22_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 235d2aea83c2f33831c0ce7a9f23587e580d638bf1f38e993b698e5d89912f32
                                                                                                              • Instruction ID: 7e5a92ba2383743b7abbeb3ebca7cd2a49a501d20f4b6ef3f3910edc6ff48e2e
                                                                                                              • Opcode Fuzzy Hash: 235d2aea83c2f33831c0ce7a9f23587e580d638bf1f38e993b698e5d89912f32
                                                                                                              • Instruction Fuzzy Hash: 3471E422A1D6960FE352B77C68192F96BD1DF8737570942BAD0CDCB2E3DC4868878391
                                                                                                              Function 00007FF7C14420C5 Relevance: .2, Instructions: 204COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000016.00000002.2033001282.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_22_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5171f1af6b66241bc3af0ef34cd3bbcf42676f33f54986085511ae9842196cfd
                                                                                                              • Instruction ID: 1dac6cb0c8292d5e9338e70c32ba8856e45572d18c1d1f579e016473c56bc05f
                                                                                                              • Opcode Fuzzy Hash: 5171f1af6b66241bc3af0ef34cd3bbcf42676f33f54986085511ae9842196cfd
                                                                                                              • Instruction Fuzzy Hash: 04512320A1EAC94FD786AB3858246B5BFE1EF87225B0801FBE0CDC71A3DD585846C352
                                                                                                              Function 00007FF7C14407F2 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000016.00000002.2033001282.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_22_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ;M_$<M_^
                                                                                                              • API String ID: 0-3421805066
                                                                                                              • Opcode ID: 6dc0c3362b604c9c796dc24483a2ccacd2db1602cf43b1b00d02099040f4cb82
                                                                                                              • Instruction ID: 6b0dde24818c79fbd923e290df57c055cfb4720985cd08d97b3f03e3f68312d5
                                                                                                              • Opcode Fuzzy Hash: 6dc0c3362b604c9c796dc24483a2ccacd2db1602cf43b1b00d02099040f4cb82
                                                                                                              • Instruction Fuzzy Hash: C0412832F4950E5FD700EB2CA8A52EABBB1EF8635674485B6D049CB393DE24B406C741
                                                                                                              Function 00007FF7C1441320 Relevance: .4, Instructions: 432COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000016.00000002.2033001282.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_22_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9c86d1509336f5df9199c28aa6fb84ee243451c75970da55ab032f68705fd6e0
                                                                                                              • Instruction ID: dfb7e5d7f816a4e876314dd4171f914f12eec72da31b1a41a51548c52760599f
                                                                                                              • Opcode Fuzzy Hash: 9c86d1509336f5df9199c28aa6fb84ee243451c75970da55ab032f68705fd6e0
                                                                                                              • Instruction Fuzzy Hash: 8A31C271E1890E9FDB40AB6CD8652EDFB71FF89315F8007B6C44AE3292CE3469168790
                                                                                                              Function 00007FF7C1440AFA Relevance: .2, Instructions: 204COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000016.00000002.2033001282.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_22_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5dcdbc96fc8d45586e5664c82ae8660b0830251151ccaba5b71eec893be307bc
                                                                                                              • Instruction ID: f259da839c9d7413c8716220f8beccecaeceb13eab549a1ae94e42871b3dc668
                                                                                                              • Opcode Fuzzy Hash: 5dcdbc96fc8d45586e5664c82ae8660b0830251151ccaba5b71eec893be307bc
                                                                                                              • Instruction Fuzzy Hash: C751B572F0951E8BDB00BFACA8552ECB3A1FF99366B54427AD009C7392CE35B442C794
                                                                                                              Function 00007FF7C1440B6F Relevance: .2, Instructions: 158COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000016.00000002.2033001282.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_22_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cdb7e9cc7273bb13608f463b90b6d7ae5ed0fe929f2b5c2711eae67ec4c2db27
                                                                                                              • Instruction ID: 940b00f2ae39218b9c434930266d33fcd3b044e862cb97068370785007c6ba1e
                                                                                                              • Opcode Fuzzy Hash: cdb7e9cc7273bb13608f463b90b6d7ae5ed0fe929f2b5c2711eae67ec4c2db27
                                                                                                              • Instruction Fuzzy Hash: 6341BE71F0591E9FDB44FB6CD8556EDB3A1FF89322B90467AD009C7382DE34A4468B80
                                                                                                              Function 00007FF7C1440638 Relevance: .1, Instructions: 133COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000016.00000002.2033001282.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_22_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 16c788b2ccc6e24342b9c636b69c750d7b9ade05d97eb7fd62121980251a5aa3
                                                                                                              • Instruction ID: 6139a280a53d7924838dceff2661581f1da1e981d8635cf0b6d24a52daaf266e
                                                                                                              • Opcode Fuzzy Hash: 16c788b2ccc6e24342b9c636b69c750d7b9ade05d97eb7fd62121980251a5aa3
                                                                                                              • Instruction Fuzzy Hash: 2131B721B18D494FE798EB2C9859779B7D2EF99365F4402BEE00EC3393DE68AC418341
                                                                                                              Function 00007FF7C1440D48 Relevance: .1, Instructions: 85COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000016.00000002.2033001282.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_22_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a7eb5003709a90b7de4cd182ed8ad8abeab1c55cefe5daa0533014eea9c90fd5
                                                                                                              • Instruction ID: aaf7c79ef43cf96ed128538e545936287c867654975be636b6b6dc8e875e6c6e
                                                                                                              • Opcode Fuzzy Hash: a7eb5003709a90b7de4cd182ed8ad8abeab1c55cefe5daa0533014eea9c90fd5
                                                                                                              • Instruction Fuzzy Hash: 50214F61B14D0A4BFB84BBAC581E3FCB2D2EF9D762F500276E50EC3386DD28A8424751
                                                                                                              Function 00007FF7C144086D Relevance: .1, Instructions: 77COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000016.00000002.2033001282.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_22_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cb37bde8e01a038f9855f34cb048fa55a31dc580c6c31ee9aaafc10f3105f2ef
                                                                                                              • Instruction ID: 4102bba532b648c79934d68385781e965aee79a0322175ef41a17b3c4ebdc123
                                                                                                              • Opcode Fuzzy Hash: cb37bde8e01a038f9855f34cb048fa55a31dc580c6c31ee9aaafc10f3105f2ef
                                                                                                              • Instruction Fuzzy Hash: CB219571F5990E6FE740EB6CD4E85AABF72FF88302B908464D44AC3386DE74A902C750
                                                                                                              Function 00007FF7C1442291 Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000016.00000002.2033001282.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_22_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e3c873f6ca6096f75909660a4c16587e487b19cbcd882516dc4b9a1cd925c7e5
                                                                                                              • Instruction ID: 7fe31eedd0cd4ce4bd98afe1d2f58fa6eaf9825cfd2bfedc13ea139680f9292b
                                                                                                              • Opcode Fuzzy Hash: e3c873f6ca6096f75909660a4c16587e487b19cbcd882516dc4b9a1cd925c7e5
                                                                                                              • Instruction Fuzzy Hash: E201F714D0C6850FF791BB386C55972BFE0EFD5261B4805BBD888D71D7D848AA4583A2

                                                                                                              Executed Functions

                                                                                                              Function 00007FF7C14416E9 Relevance: .8, Instructions: 795COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000017.00000002.2115084767.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_23_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c61200b5912226211d3600dc6c2d5394ae5b26f1055b34bf5717a255bd2db018
                                                                                                              • Instruction ID: 18e9386386e14dcf033f21b5394085d2f136db53d5a01db87ad31f48ffb0a26e
                                                                                                              • Opcode Fuzzy Hash: c61200b5912226211d3600dc6c2d5394ae5b26f1055b34bf5717a255bd2db018
                                                                                                              • Instruction Fuzzy Hash: 0732C670F28A498FE794FB2888597B9B7D2FF89751F944579E00EC3382DE68B8418741
                                                                                                              Function 00007FF7C1440E5E Relevance: .3, Instructions: 278COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000017.00000002.2115084767.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_23_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f09d3cd0100d761de6ef4f38b7af02750eb38f87df27d1f6321261b100743415
                                                                                                              • Instruction ID: d656f94c050f86b44c2acbb374b1bfdb27e05e230165c9cc2e7ddc04f21cef15
                                                                                                              • Opcode Fuzzy Hash: f09d3cd0100d761de6ef4f38b7af02750eb38f87df27d1f6321261b100743415
                                                                                                              • Instruction Fuzzy Hash: 0F71E422A1D6960FE352B77C68192F96BD1DF8737570942BAD0CDCB2E3DC4868878391
                                                                                                              Function 00007FF7C14420C5 Relevance: .2, Instructions: 204COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000017.00000002.2115084767.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_23_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a74524058382c84eaa2fceabc8c7e9edc224e1af2603883afeede9f65af12ff7
                                                                                                              • Instruction ID: e0da9b505b11bfb6c260fb609b02c6f0a686d09e557b997d10080efc0211799b
                                                                                                              • Opcode Fuzzy Hash: a74524058382c84eaa2fceabc8c7e9edc224e1af2603883afeede9f65af12ff7
                                                                                                              • Instruction Fuzzy Hash: 0F512320A1EAC94FD786AB3858246B5BFE1EF87225B0801FBE0CDC71A3DD585846C352
                                                                                                              Function 00007FF7C14407F2 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000017.00000002.2115084767.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_23_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ;M_$<M_^
                                                                                                              • API String ID: 0-3421805066
                                                                                                              • Opcode ID: b4d08b352b04378cdf55d7ca9e2df181ae55d6c8e727d6ebc4a49d1b3955ab30
                                                                                                              • Instruction ID: e0c7306514596f452a71628c6cd14febb284f98468c6aad1d367ea6f19a0ba5f
                                                                                                              • Opcode Fuzzy Hash: b4d08b352b04378cdf55d7ca9e2df181ae55d6c8e727d6ebc4a49d1b3955ab30
                                                                                                              • Instruction Fuzzy Hash: 7C411632F4A21D5FD700FB2CA8A92E9BBB1EF86356B8485B6D049CB393CE247445C751
                                                                                                              Function 00007FF7C1441320 Relevance: .4, Instructions: 432COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000017.00000002.2115084767.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_23_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2266000bf9c03e26932e932c98f28873ac6f83edaab99371d1c657ec8c5806e2
                                                                                                              • Instruction ID: b84f0a4c0a53cb4ab2d31a1043b3db61df983b4d91c3320899a0aca5cd23190e
                                                                                                              • Opcode Fuzzy Hash: 2266000bf9c03e26932e932c98f28873ac6f83edaab99371d1c657ec8c5806e2
                                                                                                              • Instruction Fuzzy Hash: 6F31B171E1890E9FDB40AB28D8652EDFB71FF89315F8047B6C40AE7292CE346916C790
                                                                                                              Function 00007FF7C1440AFA Relevance: .2, Instructions: 204COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000017.00000002.2115084767.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_23_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d55d9523570cea921de1e315210b0c100658ba0e5f4ba300908df4ac9bae6b29
                                                                                                              • Instruction ID: da9fd5f024b3348259277ebebe3871dbd4ef30fbb5c52e269c7a27e5282c8067
                                                                                                              • Opcode Fuzzy Hash: d55d9523570cea921de1e315210b0c100658ba0e5f4ba300908df4ac9bae6b29
                                                                                                              • Instruction Fuzzy Hash: D3519472F4951E8BDB00BFACA8552ECB3A1FF9A366B54427AD009C7392CE35B441C794
                                                                                                              Function 00007FF7C1440B6F Relevance: .2, Instructions: 158COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000017.00000002.2115084767.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_23_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d0b2f90497e2a42796518f3cf0fd84f1d84861c193534cd89ae93deff8e7447e
                                                                                                              • Instruction ID: 002fd4c41eeb0bce333702de0a591fb76973f2025a550ee8a6272995cb3d3040
                                                                                                              • Opcode Fuzzy Hash: d0b2f90497e2a42796518f3cf0fd84f1d84861c193534cd89ae93deff8e7447e
                                                                                                              • Instruction Fuzzy Hash: 0541AF71F0591E9FDB44FB68D8656EDB7A1FF89322B90467AD009C7382CE35A446CB80
                                                                                                              Function 00007FF7C1440638 Relevance: .1, Instructions: 133COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000017.00000002.2115084767.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_23_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8cae4d9e30888b9cead0bb758d2a599884992569550b5d7c6bb0e6cda6fe030b
                                                                                                              • Instruction ID: ff599908691ff887ff6711e4f30020e15dd6a226a4ee0b80a4668db816367102
                                                                                                              • Opcode Fuzzy Hash: 8cae4d9e30888b9cead0bb758d2a599884992569550b5d7c6bb0e6cda6fe030b
                                                                                                              • Instruction Fuzzy Hash: 97319521B18D494FE798EB2C9859779B7D2EF99365F4406BEE00EC3393DE68AC418341
                                                                                                              Function 00007FF7C1440D48 Relevance: .1, Instructions: 85COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000017.00000002.2115084767.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_23_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a7eb5003709a90b7de4cd182ed8ad8abeab1c55cefe5daa0533014eea9c90fd5
                                                                                                              • Instruction ID: aaf7c79ef43cf96ed128538e545936287c867654975be636b6b6dc8e875e6c6e
                                                                                                              • Opcode Fuzzy Hash: a7eb5003709a90b7de4cd182ed8ad8abeab1c55cefe5daa0533014eea9c90fd5
                                                                                                              • Instruction Fuzzy Hash: 50214F61B14D0A4BFB84BBAC581E3FCB2D2EF9D762F500276E50EC3386DD28A8424751
                                                                                                              Function 00007FF7C144086D Relevance: .1, Instructions: 77COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000017.00000002.2115084767.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_23_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c052a6ca3b53f907ca9ace790ce3da5ba7d67bae3f22a77d0ba87b4d7a1d7b69
                                                                                                              • Instruction ID: 159ae17b60d0ed56c4a16c29c0147fd1d4e6006e09a056b4d7d201fce60d2659
                                                                                                              • Opcode Fuzzy Hash: c052a6ca3b53f907ca9ace790ce3da5ba7d67bae3f22a77d0ba87b4d7a1d7b69
                                                                                                              • Instruction Fuzzy Hash: 2A218D31E9950D6BEB40FB2C84B95A9BF72BFC8302BC0C464D40A87786CE646941C751
                                                                                                              Function 00007FF7C1442291 Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000017.00000002.2115084767.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_23_2_7ff7c1440000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 69ddcd5df7d126f3b158442c6f7a34c3a5a5786a4a930f2f5b3f54309c0c44f5
                                                                                                              • Instruction ID: 220fd53c67dfb678973c997ab6fdb0c85aad96b36768505538a47313e073c1a2
                                                                                                              • Opcode Fuzzy Hash: 69ddcd5df7d126f3b158442c6f7a34c3a5a5786a4a930f2f5b3f54309c0c44f5
                                                                                                              • Instruction Fuzzy Hash: 9301F714D0C6850FF791BB382C55972BFE0EFD5261B8805BBD888D71D7D848AA8483A2

                                                                                                              Executed Functions

                                                                                                              Function 00007FF7C14516E9 Relevance: .8, Instructions: 793COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000018.00000002.2353113691.00007FF7C1450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1450000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_24_2_7ff7c1450000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 592681b00762cf1085272f7fd037de66d26736232e46d32be69d529ede3d0311
                                                                                                              • Instruction ID: a1f5aa6d37c0f83505d0d6e3699cdf785dd4064ca7c0765d983b41411905f694
                                                                                                              • Opcode Fuzzy Hash: 592681b00762cf1085272f7fd037de66d26736232e46d32be69d529ede3d0311
                                                                                                              • Instruction Fuzzy Hash: 8632B330F28E494FE794FB28886A6B9B7D2FF89751F840579D40EC33D2DE68A9418741
                                                                                                              Function 00007FF7C1450E5E Relevance: .3, Instructions: 283COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000018.00000002.2353113691.00007FF7C1450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1450000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_24_2_7ff7c1450000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 229105bd1d8547239307d070261a02210b9e3c42e2a926af1fa89eab7d70d6c4
                                                                                                              • Instruction ID: 2714d8c8bbc3e9a8b98182221f1ba3698ce07a4824a9e1ada3f07b116bd944e4
                                                                                                              • Opcode Fuzzy Hash: 229105bd1d8547239307d070261a02210b9e3c42e2a926af1fa89eab7d70d6c4
                                                                                                              • Instruction Fuzzy Hash: 5071F822A5DA960FE352767C68192F96BD1DF8B37570841BBD0CDCB2A3DC0868878352
                                                                                                              Function 00007FF7C14520C5 Relevance: .2, Instructions: 204COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000018.00000002.2353113691.00007FF7C1450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1450000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_24_2_7ff7c1450000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dbf3ced66b3976f5007a4a263bcbdb5472b1cfe6092d811c192c7409103007ee
                                                                                                              • Instruction ID: 38d4396edffe36878b0d8b9bc1925a203d491e981278ab71bc4d80aed080a18d
                                                                                                              • Opcode Fuzzy Hash: dbf3ced66b3976f5007a4a263bcbdb5472b1cfe6092d811c192c7409103007ee
                                                                                                              • Instruction Fuzzy Hash: 7E510560A1EAC54FD786AB3858346B6BFE5DF87225B0801FBE0CEC71A3DD585846C352
                                                                                                              Function 00007FF7C14507F2 Relevance: 2.6, Strings: 2, Instructions: 141COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000018.00000002.2353113691.00007FF7C1450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1450000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_24_2_7ff7c1450000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ;L_$<L_^
                                                                                                              • API String ID: 0-636787459
                                                                                                              • Opcode ID: f5af13c5736d2b14a23008050ed31cc9e85273dbd26fd52d5c87df88f1b3f91c
                                                                                                              • Instruction ID: 8d4b09feec74e8ffe5cb86dbe4ca526b1400ae5770927b45e8d305c753353d4a
                                                                                                              • Opcode Fuzzy Hash: f5af13c5736d2b14a23008050ed31cc9e85273dbd26fd52d5c87df88f1b3f91c
                                                                                                              • Instruction Fuzzy Hash: 1241E472F4E5095FD700EB6CE8A52E9BBB1FF853A67848076D0098B393CE247546C790
                                                                                                              Function 00007FF7C1451320 Relevance: .4, Instructions: 432COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000018.00000002.2353113691.00007FF7C1450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1450000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_24_2_7ff7c1450000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 96296aed73a18573d23dc912d43902cb73cf069ca934c6eb6859d1b76ef8f4eb
                                                                                                              • Instruction ID: 745bcaa0f23a056c726187e81e1a48d692e420a4cfc85fb96d94d70764497aab
                                                                                                              • Opcode Fuzzy Hash: 96296aed73a18573d23dc912d43902cb73cf069ca934c6eb6859d1b76ef8f4eb
                                                                                                              • Instruction Fuzzy Hash: CC31C471E1890E9FDB41AB6CD8652EDBBB1FF59355F8002B6C40AE3292CE346915C790
                                                                                                              Function 00007FF7C1450AFB Relevance: .2, Instructions: 204COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000018.00000002.2353113691.00007FF7C1450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1450000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_24_2_7ff7c1450000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 65cee158a4fe5841b5eb944ff8ed59fc9573213cd76845ea40deb1a38f7bc6ed
                                                                                                              • Instruction ID: f4e8c33f64d23acf5f9b1c4c98aca969c87812b99a8ab157d5a09671e0a0aef5
                                                                                                              • Opcode Fuzzy Hash: 65cee158a4fe5841b5eb944ff8ed59fc9573213cd76845ea40deb1a38f7bc6ed
                                                                                                              • Instruction Fuzzy Hash: 1B51A336F0891A4BDB00BFACA8552ECB3A1FF89366B544136D00AC7392CE25B5468790
                                                                                                              Function 00007FF7C1450B6F Relevance: .2, Instructions: 156COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000018.00000002.2353113691.00007FF7C1450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1450000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_24_2_7ff7c1450000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0f2777aaf9f854a02d100e243f3def6e1b6843629004af439477ce6f2e9b6af2
                                                                                                              • Instruction ID: f30b3175ff7e91129c21a654b40f80ab3553f453147a02c4de93aa168093e166
                                                                                                              • Opcode Fuzzy Hash: 0f2777aaf9f854a02d100e243f3def6e1b6843629004af439477ce6f2e9b6af2
                                                                                                              • Instruction Fuzzy Hash: A841C131F0891A9FDB44FB6CD8656ECB3A1FF89352B90453AD00AD7392CE35A546CB90
                                                                                                              Function 00007FF7C1450638 Relevance: .1, Instructions: 133COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000018.00000002.2353113691.00007FF7C1450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1450000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_24_2_7ff7c1450000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c56f6e9a3e7a9b46a71c0d57421275fc3c24dec0ee7daa966c849b9187e7f8b9
                                                                                                              • Instruction ID: a393a39a709026031af9d8bac16edffb4d6c4c0a964435babf80b0861ac059f7
                                                                                                              • Opcode Fuzzy Hash: c56f6e9a3e7a9b46a71c0d57421275fc3c24dec0ee7daa966c849b9187e7f8b9
                                                                                                              • Instruction Fuzzy Hash: 4431A631B18D494FE798EB2C9859779B6D2EF99365F4402BEE40EC3293DE68AC418341
                                                                                                              Function 00007FF7C1450D48 Relevance: .1, Instructions: 85COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000018.00000002.2353113691.00007FF7C1450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1450000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_24_2_7ff7c1450000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d852c64a4952d46a992369e3af45fad2bbdc0c8bf1e1d59d446a6899e5362260
                                                                                                              • Instruction ID: 546288890318e36c9a07b276924f5856efe1d5c7a27ebb4f7259a46029ea6d31
                                                                                                              • Opcode Fuzzy Hash: d852c64a4952d46a992369e3af45fad2bbdc0c8bf1e1d59d446a6899e5362260
                                                                                                              • Instruction Fuzzy Hash: D0214261B14D0A4BFB84BBAC581E3BCB2D2EF9C762F504276E50EC3382DD28A8418351
                                                                                                              Function 00007FF7C145086D Relevance: .1, Instructions: 77COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000018.00000002.2353113691.00007FF7C1450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1450000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_24_2_7ff7c1450000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ad220aa36166f773e98e920ef6033c00b8972f668c17095ebd19e61e47fc9cfa
                                                                                                              • Instruction ID: 6e4d15b08c8113f19f9717567b8cd7dbc9ab0ce128ca29bb1e8a7486fa970b4e
                                                                                                              • Opcode Fuzzy Hash: ad220aa36166f773e98e920ef6033c00b8972f668c17095ebd19e61e47fc9cfa
                                                                                                              • Instruction Fuzzy Hash: 2A217170E5E50D6FD740EF6CD4A56A9BF72BF88342BC08564D40AC3786CE746A01C751
                                                                                                              Function 00007FF7C1452291 Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000018.00000002.2353113691.00007FF7C1450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1450000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_24_2_7ff7c1450000_svchost.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8628e260b5ac2060872d55644b5b624698d1ec2eaa3325fa1947b72da816ce3b
                                                                                                              • Instruction ID: 249b66245f1e6801c29e38a5ef7ae4b588193a201ad1de9c8957b13b1acf396e
                                                                                                              • Opcode Fuzzy Hash: 8628e260b5ac2060872d55644b5b624698d1ec2eaa3325fa1947b72da816ce3b
                                                                                                              • Instruction Fuzzy Hash: 0B014C28D0CA815FE381BB381865831BFE0DFD12A1B8404BBEC88C71D7D9445A408392