Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Zoom.exe

Overview

General Information

Sample name:Zoom.exe
Analysis ID:1557990
MD5:da30eab35f763bc0c5100f7da5f8e676
SHA1:218134a4b2e2d00ea18cf528ae35431a01474fe3
SHA256:80e520bd05e9f430994d7108aa44e756421bb5ba84ef12972ecb280545bcef3a
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Set autostart key via New-ItemProperty Cmdlet
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Monitors registry run keys for changes
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64native
  • Zoom.exe (PID: 7556 cmdline: "C:\Users\user\Desktop\Zoom.exe" MD5: DA30EAB35F763BC0C5100F7DA5F8E676)
    • powershell.exe (PID: 7772 cmdline: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • explorer.exe (PID: 7744 cmdline: C:\Windows\explorer.exe MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)
    • explorer.exe (PID: 2140 cmdline: C:\Windows\explorer.exe MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)
      • chrome.exe (PID: 7728 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" MD5: BB7C48CDDDE076E7EB44022520F40F77)
        • chrome.exe (PID: 2980 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2220,i,9109457994456723034,8271552518861750300,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2224 /prefetch:3 MD5: BB7C48CDDDE076E7EB44022520F40F77)
  • Zoom.exe (PID: 1260 cmdline: "C:\Users\user\AppData\Roaming\Zoom.exe" MD5: DA30EAB35F763BC0C5100F7DA5F8E676)
  • Zoom.exe (PID: 7756 cmdline: "C:\Users\user\AppData\Roaming\Zoom.exe" MD5: DA30EAB35F763BC0C5100F7DA5F8E676)
  • svchost.exe (PID: 5852 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: F586835082F632DC8D9404D83BC16316)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    Process Memory Space: Zoom.exe PID: 1260JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: CurrentVersion Autorun Keys Modification
      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Zoom.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7772, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zoom
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String', CommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String', CommandLine|base64offset|contains: E^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Zoom.exe", ParentImage: C:\Users\user\Desktop\Zoom.exe, ParentProcessId: 7556, ParentProcessName: Zoom.exe, ProcessCommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String', ProcessId: 7772, ProcessName: powershell.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 900, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5852, ProcessName: svchost.exe

      Persistence and Installation Behavior

      barindex
      Sigma detected: Set autostart key via New-ItemProperty Cmdlet
      Source: Process startedAuthor: Joe Security: Data: Command: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String', CommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String', CommandLine|base64offset|contains: E^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Zoom.exe", ParentImage: C:\Users\user\Desktop\Zoom.exe, ParentProcessId: 7556, ParentProcessName: Zoom.exe, ProcessCommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String', ProcessId: 7772, ProcessName: powershell.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: Zoom.exeAvira: detected
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Roaming\Zoom.exeAvira: detection malicious, Label: HEUR/AGEN.1323341
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Roaming\Zoom.exeReversingLabs: Detection: 44%
      Multi AV Scanner detection for submitted file
      Source: Zoom.exeReversingLabs: Detection: 44%
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Roaming\Zoom.exeJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: Zoom.exeJoe Sandbox ML: detected
      Source: Zoom.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: Zoom.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Joe Sandbox ViewIP Address: 72.21.81.240 72.21.81.240
      Source: Joe Sandbox ViewIP Address: 9.9.9.9 9.9.9.9
      Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
      Source: handlers.json.0.drString found in binary or memory: {"defaultHandlersVersion":{"en-GB":4},"mimeTypes":{"application/pdf":{"action":3,"extensions":["pdf"]},"text/xml":{"action":3,"extensions":["xml"]},"image/svg+xml":{"action":3,"extensions":["svg"]},"image/webp":{"action":3,"extensions":["webp"]}},"schemes":{"irc":{"stubEntry":true,"handlers":[null,{"name":"Mibbit","uriTemplate":"https://www.mibbit.com/?url=%s"}]},"ircs":{"stubEntry":true,"handlers":[null,{"name":"Mibbit","uriTemplate":"https://www.mibbit.com/?url=%s"}]},"mailto":{"stubEntry":true,"handlers":[null,{"name":"Yahoo! Mail","uriTemplate":"https://compose.mail.yahoo.com/?To=%s"},{"name":"Googlemail","uriTemplate":"https://mail.google.com/mail/?extsrc=mailto&url=%s"}]}}} equals www.yahoo.com (Yahoo)
      Source: cert9.db.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
      Source: powershell.exe, 00000002.00000002.120984169871.0000000003037000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
      Source: powershell.exe, 00000002.00000002.120984169871.0000000003037000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: cert9.db.0.drString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
      Source: cert9.db.0.drString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
      Source: cert9.db.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
      Source: cert9.db.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
      Source: cert9.db.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
      Source: cert9.db.0.drString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
      Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      Source: svchost.exe, 0000001A.00000003.122724068608.000002E4FE000000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/update2/actxsdodvxbjblyjfcbcbc7srcwa_1.3.36.242/GoogleUpda
      Source: powershell.exe, 00000002.00000002.120988706985.0000000005BAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: cert9.db.0.drString found in binary or memory: http://ocsp.digicert.com0
      Source: cert9.db.0.drString found in binary or memory: http://ocsp.pki.goog/gtsr100
      Source: cert9.db.0.drString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
      Source: powershell.exe, 00000002.00000002.120990536175.0000000007508000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.120985265105.0000000004C97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000002.00000002.120985265105.0000000004C97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png4
      Source: cert9.db.0.drString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
      Source: qmgr.db.26.drString found in binary or memory: http://r4---sn-5hnekn7k.gvt1.com/edgedl/release2/chrome/acb3kitere6jimdp6rrtasanb2aq_93.0.4577.82/93
      Source: qmgr.db.26.drString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome/acb3kitere6jimdp6rrtasanb2aq_93.0.4577.82/93.0.457
      Source: qmgr.db.26.drString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/aciwgjnovhktokhzyboslawih45a_2700/jflook
      Source: qmgr.db.26.drString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/acze3h5f67uhtnjsyv6pabzn277q_298/lmelgle
      Source: qmgr.db.26.drString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/dp66roauucji6olf7ycwe24lea_6869/hfnkpiml
      Source: explorer.exe, 00000007.00000003.121388869679.000000000E9F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121438534222.000000000E9D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.m
      Source: powershell.exe, 00000002.00000002.120985265105.0000000004B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: qmgr.db.26.drString found in binary or memory: http://storage.googleapis.com/update-delta/ggkkehgbnfjpeggfpleeakpidbkibbmn/2021.9.13.1142/2021.9.7.
      Source: qmgr.db.26.drString found in binary or memory: http://storage.googleapis.com/update-delta/jamhcnnkihinmdlkakkaopbjbbcngflc/96.0.4648.2/96.0.4642.0/
      Source: qmgr.db.26.drString found in binary or memory: http://storage.googleapis.com/update-delta/khaoiebndkojlmppeemjhbpbandiljpe/45/43/19f2dc8e4c5c5d0383
      Source: powershell.exe, 00000002.00000002.120990536175.0000000007508000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.120985265105.0000000004C97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000002.00000002.120985265105.0000000004C97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
      Source: powershell.exe, 00000002.00000002.120984169871.00000000030BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
      Source: powershell.exe, 00000002.00000002.120984169871.0000000003037000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
      Source: cert9.db.0.drString found in binary or memory: http://x1.c.lencr.org/0
      Source: cert9.db.0.drString found in binary or memory: http://x1.i.lencr.org/0
      Source: explorer.exe, 00000007.00000003.121365720001.0000000009C66000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.121365508103.0000000009C5A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.121389185482.0000000009C35000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.121384670529.0000000009C35000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009C46000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.121369839866.0000000009C19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.121365088329.0000000009C40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirm#3
      Source: explorer.exe, 0000000F.00000003.122814619555.0000000009178000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121583134853.0000000009178000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.122813453261.0000000009178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmFF
      Source: powershell.exe, 00000002.00000002.120985265105.0000000004B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=7834C1E69F06476EA9E614C5E284C1B3&timeOut=5000&oc
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=BD90711994424F5B8983DD2624ABCF73&timeOut=5000&oc
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehR3S.png
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehR3S.svg
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240908.1/Weather/W01_Sunn
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13eu4J
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13eu4J-dark
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13g0tb
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13g0tb-dark
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gD5m
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gD5m-dark
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDfu
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDfu-dark
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDrC
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDrC-dark
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF7M
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF7M-dark
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF81
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF81-dark
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gFtr
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gFtr-dark
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHFX
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHFX-dark
      Source: explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
      Source: explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMda
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMda-dark
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPv0
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPv0-dark
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRtf
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRtf-dark
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gowI
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gowI-dark
      Source: handlers.json.0.drString found in binary or memory: https://compose.mail.yahoo.com/?To=%s
      Source: powershell.exe, 00000002.00000002.120988706985.0000000005BAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000002.00000002.120988706985.0000000005BAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000002.00000002.120988706985.0000000005BAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: svchost.exe, 0000001A.00000003.124542010887.000002E4F5EB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.mozilla.org/?product=firefox-96.0.1-complete&os=win64&lang=en-GB3
      Source: svchost.exe, 0000001A.00000003.123662387896.000002E4F5DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.mozilla.org/?product=firefox-96.0.1-complete&os=win64&lang=en-GBOC:
      Source: qmgr.db.26.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
      Source: Zoom.exe, 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll
      Source: Zoom.exe, 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe
      Source: Zoom.exe, 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe
      Source: powershell.exe, 00000002.00000002.120990536175.0000000007508000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.120985265105.0000000004C97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000002.00000002.120985265105.0000000004C97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester4
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.redirectingat.com?id=74968X1553576&url=https%3A%2F%2Fsokoglam.com%2F&sref=https%3A%2F%2Fw
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.redirectingat.com?id=74968X1553576&url=https%3A%2F%2Fwww.peachandlily.com%2F&sref=https%3
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA18UlKH.img
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA19ywjN.img
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1s3zil.img
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2YAWO.img
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA36Tom.img
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6J22N.img
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6p0E6.img
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHfWvR.img
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAMzyrj.img
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAaeOki.img
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAywHbG.img
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB10dZNR.img
      Source: explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1jtbc8.img
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBY4G4r.img
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBwqLzS.img
      Source: handlers.json.0.drString found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
      Source: qmgr.db.26.drString found in binary or memory: https://msftspeechmodelsprod.azureedge.net/SR/SV10-EV100/en-us-n/MV101/naspmodelsmetadata.xmlPC:
      Source: powershell.exe, 00000002.00000002.120988706985.0000000005BAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000002.00000002.120984169871.0000000003037000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
      Source: cert9.db.0.drString found in binary or memory: https://pki.goog/repository/0
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod-streaming-video-msn-com.akamaized.net/3816fd87-9340-49ae-9112-05e94efcbac4/b99799e0-83d
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod-streaming-video-msn-com.akamaized.net/ebfb1cfc-2642-4461-9462-0635e0a6afdc/b99799e0-83d
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod-video-cms-amp-microsoft-com.akamaized.net/tenant/amp/entityid/AA1oRj32?blobrefkey=close
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://screenrant.com/doctor-who-season-15-fourth-wall-breaks-davies-response/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stacker.com
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stacker.com/business-economy/person-online-or-hybrid-shopping-american-consumer-habits-are-c
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stacker.com/lifestyle/truth-behind-5-unconventional-self-care-rituals-have-gone-viral-tiktok
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stacker.com/pets/animal-shelter-populations-are-heres-why-and-how-shelters-are-responding
      Source: explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stacker.com/stories
      Source: Zoom.exe, 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
      Source: Zoom.exe, 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
      Source: Zoom.exe, 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot
      Source: places.sqlite.0.drString found in binary or memory: https://support.mozilla.org
      Source: favicons.sqlite.0.drString found in binary or memory: https://support.mozilla.org/en-GB/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=fire
      Source: favicons.sqlite.0.drString found in binary or memory: https://support.mozilla.org/en-GB/products/firefox
      Source: places.sqlite.0.drString found in binary or memory: https://support.mozilla.org/en-GB/products/firefoxgro.allizom.troppus.
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-us&chosenMarketReason=implicitExisting
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-us&chosenMarketReason=implicitNew
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-us&chosenMarketReason=implicitExisting
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-us&chosenMarketReason=implicitNew
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.businessinsider.com/nashville-mistakes-what-to-know-about-visiting-according-to-local
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.census.gov/library/stories/2023/09/why-people-move.html
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.census.gov/newsroom/press-releases/2024/population-estimates-more-counties-population-ga
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cnn.com/travel/article/bachelorette-party-nashville-tennessee/index.html
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/content/cocktail-recipes/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/a22999141/thanksgiving-ring-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/a40984750/cannoli-chips-and-dip-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/g1702/casserole-recipes/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/g1967/fall-cocktails-recipes/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/g2021/fall-dessert-recipes/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a21782346/ultimate-chip-and-dip-platter-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a35396804/butternut-squash-potstickers-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a41848738/cranberry-whipped-feta-dip-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a44041/pumpkin-pie-dip-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a45623/bacon-wrapped-jalapenos-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a50000/sweet-potato-bites-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a62779542/cranberry-cream-cheese-spread-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/g2957/easy-fall-dinners/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/g3026/fall-soup-recipes/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/recipes/a44140/pumpkin-deviled-eggs-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/recipes/a50049/green-bean-casserole-bundles-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/recipes/a51423/ham-and-cheese-pinwheels-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/recipes/a55502/pub-beer-cheese-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/recipes/a56997/onion-soup-bread-bowls-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/recipes/a57209/cranberry-brie-pull-apart-bread-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/food/g2168/bite-size-appetizers/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/holiday-recipes/thanksgiving/
      Source: cert9.db.0.drString found in binary or memory: https://www.digicert.com/CPS0
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.elle.com/beauty/makeup-skin-care/g46652382/best-sheet-mask/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.elle.com/beauty/makeup-skin-care/tips/g8091/face-serum/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.elle.com/beauty/makeup-skin-care/tips/g8901/korean-beauty-skincare-routine-10-steps/
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.hollywoodreporter.com/tv/tv-news/sesame-street-changing-format-tales-from-123-season-56-
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.imdb.com/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.instagram.com/aliciayoon212/?hl=en
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.instagram.com/charlottejcho/?hl=en
      Source: handlers.json.0.drString found in binary or memory: https://www.mibbit.com/?url=%s
      Source: places.sqlite.0.drString found in binary or memory: https://www.mozilla.org
      Source: favicons.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-GB/about/
      Source: places.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-GB/about/gro.allizom.www.
      Source: favicons.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-GB/contribute/
      Source: places.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-GB/contribute/gro.allizom.www.
      Source: favicons.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-GB/firefox/central/
      Source: places.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-GB/firefox/central/gro.allizom.www.
      Source: places.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-GB/privacy/firefox/gro.allizom.www.
      Source: upgrade.jsonlz4-20210816143654.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/fV
      Source: favicons.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
      Source: places.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
      Source: favicons.sqlite.0.drString found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon-196x196.2af054fea211.png
      Source: favicons.sqlite.0.drString found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
      Source: places.sqlite.0.drString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpgk
      Source: places.sqlite.0.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/autos/enthusiasts/sema-2024-flexing-muscle-on-the-floor/ar-AA1uciUt
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/autos/news/does-the-start-stop-function-really-improve-your-car-s-fuel-eco
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/entertainment/news/fans-choose-jin-s-happy-as-this-week-s-favorite-new-mus
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/feed
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddrink/recipes/20-quick-and-easy-dinners-made-in-a-13-9-pan/ss-AA1tX
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddrink/recipes/60-appetizer-recipes-that-ll-get-the-party-started-th
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddrink/recipes/meatloaf-gourmet-style/ar-BB1qWDmx
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/medical/12-strange-facts-about-redheads-you-never-knew/ar-BB1labs7
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/medical/researchers-study-life-after-death-and-it-gets-weirder/ar-A
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/nutrition/the-ina-garten-cookie-recipe-i-can-t-stop-making/ar-AA1ue
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/other/13-best-ballet-flats-with-arch-support-so-you-can-get-in-on-t
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/other/these-korean-skin-care-brands-will-give-you-glass-skin/ss-BB1
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/off-grid-homeowners-spark-inspiration-with-images
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/pets/the-dog-breed-that-lives-the-longest-based-on-data-and-see-
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/shopping/10-fashion-gifts-you-won-t-believe-are-from-walmart-all
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/6-cool-cars-the-middle-class-can-afford-according-to
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/warren-buffett-10-things-poor-people-waste-money-on/
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/movies/news/25-stunning-comebacks-roles-that-resurrected-hollywood-careers
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/movies/news/5-new-to-paramount-plus-movies-with-90-or-higher-on-rotten-tom
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/movies/news/judy-garland-s-daughter-lorna-luft-praises-wicked-as-astoundin
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/music/news/katy-perry-announces-the-u-k-leg-of-lifetimes-tour/ar-AA1uiJlK
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/music/news/learn-10-funk-guitar-riffs-inspired-by-james-brown-prince-and-v
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/music/news/what-de-la-soul-s-big-mistake-cost-hip-hop/ar-AA1uiaQK
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/biden-in-the-background-at-g20-summit-as-leaders-brace-for-s
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/messy-fight-for-trump-s-treasury-chief-spills-into-public/ar
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/trump-s-treasury-pick-could-give-an-indication-of-what-he-pl
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/union-bosses-say-democrats-need-to-overhaul-their-vision-to-
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/historians-thought-this-was-a-medieval-site-linked-to-king
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/aclu-files-lawsuit-seeking-details-on-trump-s-plan-for-mass-deport
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/meet-the-newest-dog-breed-recognized-by-the-american-kennel-club-a
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/should-women-be-allowed-to-fight-on-the-front-lines-trump-s-defens
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/brazil-hosts-g20-with-wars-and-trump-s-return-in-the-background
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/china-unveils-swarm-carrier-drone-with-payload-comparable-to-fi
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/nfl/lions-news-hc-dan-campbell-makes-something-clear-about-jared-go
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/nfl/nfl-week-12-power-rankings-steelers-eagles-bills-climb-as-raven
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/nfl/ravens-justin-tucker-blames-acrisure-stadium-for-terrible-outin
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/nfl/travis-kelce-and-chiefs-lose-first-game-of-the-season-as-patric
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/forecast/in-New-York?loc=eyJsIjoiTmV3IFlvcmsiLCJyIjoiTmV3IFlvcmsiL
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nature.com/articles/s41598-017-16118-6
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.niche.com/about/methodology/best-places-to-live/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.niche.com/places-to-live/search/best-places-to-live/?type=city&type=suburb&type=town
      Source: explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.northaustinfeet.com/bio/anne-sharkey.cfm
      Source: explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nycprivatemedical.com/the-doctor
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.omdbapi.com/
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.prevention.com/beauty/style/g45626343/best-jeans-for-women-over-50/
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.prevention.com/health/health-conditions/g36385300/plantar-fasciitis-stretches/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.veranda.com/decorating-ideas/advice-from-designers/a62830063/warm-and-cool-colors/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.veranda.com/decorating-ideas/g62259813/cottage-kitchen-ideas/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.veranda.com/decorating-ideas/house-tours/a61682769/timothy-corrigan-french-chateau/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.veranda.com/home-decorators/a30145134/micky-hurley-paris-apartment/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.veranda.com/home-decorators/a31046866/decorating-with-antiques/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.veranda.com/home-decorators/design-trends/g46584591/antique-trends-2024/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.veranda.com/house-tours/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.veranda.com/outdoor-garden/a39580257/zoe-de-givenchy-french-countryside-manor-house/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.veranda.com/outdoor-garden/g1134/beautiful-french-gardens/
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.visitmusiccity.com/accolades-honors

      System Summary

      barindex
      .NET source code contains very large array initializations
      Source: Zoom.exe, RulesSingletonConnector.csLarge array initialization: PopStub: array initializer size 297280
      Source: Zoom.exe.0.dr, RulesSingletonConnector.csLarge array initialization: PopStub: array initializer size 297280
      Source: C:\Users\user\Desktop\Zoom.exeProcess Stats: CPU usage > 6%
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA42584_2_00BA4258
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA14E04_2_00BA14E0
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA14D04_2_00BA14D0
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA1AA84_2_00BA1AA8
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA1AF24_2_00BA1AF2
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA1AA84_2_00BA1AA8
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA1B924_2_00BA1B92
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA3BEF4_2_00BA3BEF
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA1B334_2_00BA1B33
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA1B1E4_2_00BA1B1E
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA1B074_2_00BA1B07
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA1B7A4_2_00BA1B7A
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA1B624_2_00BA1B62
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA1B4A4_2_00BA1B4A
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA3CA24_2_00BA3CA2
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA2F254_2_00BA2F25
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 5_2_010A41D15_2_010A41D1
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 5_2_010A42585_2_010A4258
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 5_2_010A14D05_2_010A14D0
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 5_2_010A14E05_2_010A14E0
      Source: Zoom.exe, 00000000.00000000.120971649532.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNeqpcwp.exe" vs Zoom.exe
      Source: Zoom.exe, 00000004.00000002.121253915610.0000000004E40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameZapjprdi.dll" vs Zoom.exe
      Source: Zoom.exe, 00000004.00000002.121251262532.0000000003915000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZapjprdi.dll" vs Zoom.exe
      Source: Zoom.exe, 00000004.00000002.121246518203.000000000096E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Zoom.exe
      Source: Zoom.exe, 00000004.00000002.121248277834.0000000002851000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZapjprdi.dll" vs Zoom.exe
      Source: Zoom.exe, 00000005.00000002.121327157686.0000000000B90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Zoom.exe
      Source: Zoom.exe, 00000005.00000002.121335318122.0000000003CD4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZapjprdi.dll" vs Zoom.exe
      Source: Zoom.exeBinary or memory string: OriginalFilenameNeqpcwp.exe" vs Zoom.exe
      Source: Zoom.exe.0.drBinary or memory string: OriginalFilenameNeqpcwp.exe" vs Zoom.exe
      Source: Zoom.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: Zoom.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: Zoom.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: Zoom.exe, WatcherCodeInstance.csCryptographic APIs: 'CreateDecryptor'
      Source: Zoom.exe, WatcherCodeInstance.csCryptographic APIs: 'CreateDecryptor'
      Source: Zoom.exe, RulesSingletonConnector.csCryptographic APIs: 'CreateDecryptor'
      Source: Zoom.exe.0.dr, WatcherCodeInstance.csCryptographic APIs: 'CreateDecryptor'
      Source: Zoom.exe.0.dr, WatcherCodeInstance.csCryptographic APIs: 'CreateDecryptor'
      Source: Zoom.exe.0.dr, RulesSingletonConnector.csCryptographic APIs: 'CreateDecryptor'
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@39/70@0/14
      Source: C:\Users\user\Desktop\Zoom.exeFile created: C:\Users\user\AppData\Roaming\Zoom.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeMutant created: NULL
      Source: C:\Users\user\Desktop\Zoom.exeMutant created: \Sessions\1\BaseNamedObjects\c133332651f9
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5708:304:WilStaging_02
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5708:120:WilError_03
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sacdv3l2.3dm.ps1Jump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\explorer.exe
      Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\explorer.exe
      Source: Zoom.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: Zoom.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
      Source: C:\Users\user\Desktop\Zoom.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Users\user\Desktop\Zoom.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name = 'firefox.exe'
      Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Zoom.exeReversingLabs: Detection: 44%
      Source: C:\Users\user\Desktop\Zoom.exeFile read: C:\Users\user\Desktop\Zoom.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Zoom.exe "C:\Users\user\Desktop\Zoom.exe"
      Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String'
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Zoom.exe "C:\Users\user\AppData\Roaming\Zoom.exe"
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Zoom.exe "C:\Users\user\AppData\Roaming\Zoom.exe"
      Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
      Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2220,i,9109457994456723034,8271552518861750300,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2224 /prefetch:3
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String'Jump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2220,i,9109457994456723034,8271552518861750300,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2224 /prefetch:3
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: starttiledata.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: idstore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.applicationmodel.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wlidprov.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryclient.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: settingsynccore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: appextension.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: devobj.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dcomp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: d3d11.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dxcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: d2d1.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dwrite.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dataexchange.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: tiledatarepository.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: staterepository.core.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.staterepository.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorycore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: mrmcorer.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.ui.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windowmanagementapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: inputhost.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: languageoverlayutil.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wincorlib.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cdp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dsreg.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: thumbcache.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.immersiveshell.serviceprovider.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: msctfmonitor.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: msutb.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: inputswitch.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dui70.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: duser.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cldapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: fltlib.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: pcshellcommonproxystub.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: notificationcontrollerps.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cryptngc.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: uianimation.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cflapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: shellcommoncommonproxystub.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: d3d10warp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: photometadatahandler.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: samlib.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: provsvc.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ehstorshell.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cscui.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: stobject.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wmiclnt.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: batmeter.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: vaultcli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: onedrivesettingsyncprovider.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.ui.shell.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: es.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: prnfldr.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: atlthunk.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dxp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: shdocvw.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: actioncenter.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wevtapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: syncreg.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.networking.connectivity.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: npmproxy.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dusmapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wpdshserviceobj.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: portabledevicetypes.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: portabledeviceapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: audioses.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: settingmonitor.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wpnclient.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: pnidui.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: mobilenetworking.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: netprofm.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: networkuxbroker.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cscobj.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ethernetmediamanager.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wlanapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: srchadmin.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.search.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: synccenter.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: imapi2.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ncsi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wscinterop.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wscapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: werconcpl.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wer.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: hcproviders.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ieproxy.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: storageusage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: fhcfg.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: efsutil.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dsrole.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.internal.system.userprofile.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cloudexperiencehostbroker.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: credui.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wdscore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dbgcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.web.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: aepic.dll
      Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
      Source: C:\Windows\explorer.exeSection loaded: userenv.dll
      Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
      Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
      Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
      Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\explorer.exeSection loaded: propsys.dll
      Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
      Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
      Source: C:\Windows\explorer.exeSection loaded: wininet.dll
      Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
      Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
      Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
      Source: C:\Windows\explorer.exeSection loaded: wldp.dll
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
      Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
      Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
      Source: C:\Windows\explorer.exeSection loaded: netutils.dll
      Source: C:\Windows\explorer.exeSection loaded: edgegdi.dll
      Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
      Source: C:\Windows\explorer.exeSection loaded: ninput.dll
      Source: C:\Windows\explorer.exeSection loaded: appresolver.dll
      Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\explorer.exeSection loaded: slc.dll
      Source: C:\Windows\explorer.exeSection loaded: sppc.dll
      Source: C:\Windows\explorer.exeSection loaded: profapi.dll
      Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\explorer.exeSection loaded: starttiledata.dll
      Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dll
      Source: C:\Windows\explorer.exeSection loaded: idstore.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.applicationmodel.dll
      Source: C:\Windows\explorer.exeSection loaded: wlidprov.dll
      Source: C:\Windows\explorer.exeSection loaded: samcli.dll
      Source: C:\Windows\explorer.exeSection loaded: appxdeploymentclient.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.dll
      Source: C:\Windows\explorer.exeSection loaded: policymanager.dll
      Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\explorer.exeSection loaded: appextension.dll
      Source: C:\Windows\explorer.exeSection loaded: settingsynccore.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dll
      Source: C:\Windows\explorer.exeSection loaded: winsta.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryclient.dll
      Source: C:\Windows\explorer.exeSection loaded: wintypes.dll
      Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dll
      Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dll
      Source: C:\Windows\explorer.exeSection loaded: devobj.dll
      Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\explorer.exeSection loaded: oleacc.dll
      Source: C:\Windows\explorer.exeSection loaded: textshaping.dll
      Source: C:\Windows\explorer.exeSection loaded: windowscodecs.dll
      Source: C:\Windows\explorer.exeSection loaded: dcomp.dll
      Source: C:\Windows\explorer.exeSection loaded: d3d11.dll
      Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dll
      Source: C:\Windows\explorer.exeSection loaded: ncrypt.dll
      Source: C:\Windows\explorer.exeSection loaded: ntasn1.dll
      Source: C:\Windows\explorer.exeSection loaded: dxcore.dll
      Source: C:\Windows\explorer.exeSection loaded: d2d1.dll
      Source: C:\Windows\explorer.exeSection loaded: dwrite.dll
      Source: C:\Windows\explorer.exeSection loaded: xmllite.dll
      Source: C:\Windows\explorer.exeSection loaded: dataexchange.dll
      Source: C:\Windows\explorer.exeSection loaded: apphelp.dll
      Source: C:\Windows\explorer.exeSection loaded: tiledatarepository.dll
      Source: C:\Windows\explorer.exeSection loaded: staterepository.core.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.staterepository.dll
      Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorycore.dll
      Source: C:\Windows\explorer.exeSection loaded: mrmcorer.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.ui.dll
      Source: C:\Windows\explorer.exeSection loaded: windowmanagementapi.dll
      Source: C:\Windows\explorer.exeSection loaded: textinputframework.dll
      Source: C:\Windows\explorer.exeSection loaded: inputhost.dll
      Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dll
      Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dll
      Source: C:\Windows\explorer.exeSection loaded: languageoverlayutil.dll
      Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dll
      Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dll
      Source: C:\Windows\explorer.exeSection loaded: wincorlib.dll
      Source: C:\Windows\explorer.exeSection loaded: cdp.dll
      Source: C:\Windows\explorer.exeSection loaded: dsreg.dll
      Source: C:\Windows\explorer.exeSection loaded: thumbcache.dll
      Source: C:\Windows\explorer.exeSection loaded: edputil.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.immersiveshell.serviceprovider.dll
      Source: C:\Windows\explorer.exeSection loaded: msctfmonitor.dll
      Source: C:\Windows\explorer.exeSection loaded: msutb.dll
      Source: C:\Windows\explorer.exeSection loaded: inputswitch.dll
      Source: C:\Windows\explorer.exeSection loaded: dui70.dll
      Source: C:\Windows\explorer.exeSection loaded: duser.dll
      Source: C:\Windows\explorer.exeSection loaded: cldapi.dll
      Source: C:\Windows\explorer.exeSection loaded: fltlib.dll
      Source: C:\Windows\explorer.exeSection loaded: uianimation.dll
      Source: C:\Windows\explorer.exeSection loaded: d3d10warp.dll
      Source: C:\Windows\explorer.exeSection loaded: pcshellcommonproxystub.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dll
      Source: C:\Windows\explorer.exeSection loaded: cryptngc.dll
      Source: C:\Windows\explorer.exeSection loaded: cflapi.dll
      Source: C:\Windows\explorer.exeSection loaded: notificationcontrollerps.dll
      Source: C:\Windows\explorer.exeSection loaded: rmclient.dll
      Source: C:\Windows\explorer.exeSection loaded: shellcommoncommonproxystub.dll
      Source: C:\Windows\explorer.exeSection loaded: photometadatahandler.dll
      Source: C:\Windows\explorer.exeSection loaded: ntshrui.dll
      Source: C:\Windows\explorer.exeSection loaded: cscapi.dll
      Source: C:\Windows\explorer.exeSection loaded: linkinfo.dll
      Source: C:\Windows\explorer.exeSection loaded: secur32.dll
      Source: C:\Windows\explorer.exeSection loaded: samlib.dll
      Source: C:\Windows\explorer.exeSection loaded: version.dll
      Source: C:\Windows\explorer.exeSection loaded: cryptbase.dll
      Source: C:\Windows\explorer.exeSection loaded: wkscli.dll
      Source: C:\Windows\explorer.exeSection loaded: provsvc.dll
      Source: C:\Windows\explorer.exeSection loaded: ehstorshell.dll
      Source: C:\Windows\explorer.exeSection loaded: cscui.dll
      Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dll
      Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dll
      Source: C:\Windows\explorer.exeSection loaded: msvcp140.dll
      Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dll
      Source: C:\Windows\explorer.exeSection loaded: stobject.dll
      Source: C:\Windows\explorer.exeSection loaded: wmiclnt.dll
      Source: C:\Windows\explorer.exeSection loaded: batmeter.dll
      Source: C:\Windows\explorer.exeSection loaded: vaultcli.dll
      Source: C:\Windows\explorer.exeSection loaded: sxs.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.ui.shell.dll
      Source: C:\Windows\explorer.exeSection loaded: onedrivesettingsyncprovider.dll
      Source: C:\Windows\explorer.exeSection loaded: prnfldr.dll
      Source: C:\Windows\explorer.exeSection loaded: actxprxy.dll
      Source: C:\Windows\explorer.exeSection loaded: es.dll
      Source: C:\Windows\explorer.exeSection loaded: rsaenh.dll
      Source: C:\Windows\explorer.exeSection loaded: dxp.dll
      Source: C:\Windows\explorer.exeSection loaded: shdocvw.dll
      Source: C:\Windows\explorer.exeSection loaded: atlthunk.dll
      Source: C:\Windows\explorer.exeSection loaded: actioncenter.dll
      Source: C:\Windows\explorer.exeSection loaded: wevtapi.dll
      Source: C:\Windows\explorer.exeSection loaded: syncreg.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.fileexplorer.common.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.networking.connectivity.dll
      Source: C:\Windows\explorer.exeSection loaded: npmproxy.dll
      Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\explorer.exeSection loaded: dusmapi.dll
      Source: C:\Windows\explorer.exeSection loaded: wpdshserviceobj.dll
      Source: C:\Windows\explorer.exeSection loaded: portabledevicetypes.dll
      Source: C:\Windows\explorer.exeSection loaded: portabledeviceapi.dll
      Source: C:\Windows\explorer.exeSection loaded: settingmonitor.dll
      Source: C:\Windows\explorer.exeSection loaded: msasn1.dll
      Source: C:\Windows\explorer.exeSection loaded: wpnclient.dll
      Source: C:\Windows\explorer.exeSection loaded: cscobj.dll
      Source: C:\Windows\explorer.exeSection loaded: audioses.dll
      Source: C:\Windows\explorer.exeSection loaded: srchadmin.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.search.dll
      Source: C:\Windows\explorer.exeSection loaded: synccenter.dll
      Source: C:\Windows\explorer.exeSection loaded: imapi2.dll
      Source: C:\Windows\explorer.exeSection loaded: pnidui.dll
      Source: C:\Windows\explorer.exeSection loaded: mobilenetworking.dll
      Source: C:\Windows\explorer.exeSection loaded: netprofm.dll
      Source: C:\Windows\explorer.exeSection loaded: networkuxbroker.dll
      Source: C:\Windows\explorer.exeSection loaded: ethernetmediamanager.dll
      Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
      Source: C:\Windows\explorer.exeSection loaded: wlanapi.dll
      Source: C:\Windows\explorer.exeSection loaded: ncsi.dll
      Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\explorer.exeSection loaded: storageusage.dll
      Source: C:\Windows\explorer.exeSection loaded: wer.dll
      Source: C:\Windows\explorer.exeSection loaded: wscinterop.dll
      Source: C:\Windows\explorer.exeSection loaded: wscapi.dll
      Source: C:\Windows\explorer.exeSection loaded: fhcfg.dll
      Source: C:\Windows\explorer.exeSection loaded: efsutil.dll
      Source: C:\Windows\explorer.exeSection loaded: mpr.dll
      Source: C:\Windows\explorer.exeSection loaded: netapi32.dll
      Source: C:\Windows\explorer.exeSection loaded: dsrole.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.internal.system.userprofile.dll
      Source: C:\Windows\explorer.exeSection loaded: cloudexperiencehostbroker.dll
      Source: C:\Windows\explorer.exeSection loaded: credui.dll
      Source: C:\Windows\explorer.exeSection loaded: wdscore.dll
      Source: C:\Windows\explorer.exeSection loaded: dbghelp.dll
      Source: C:\Windows\explorer.exeSection loaded: dbgcore.dll
      Source: C:\Windows\explorer.exeSection loaded: werconcpl.dll
      Source: C:\Windows\explorer.exeSection loaded: framedynos.dll
      Source: C:\Windows\explorer.exeSection loaded: hcproviders.dll
      Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dll
      Source: C:\Windows\explorer.exeSection loaded: ieproxy.dll
      Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.web.dll
      Source: C:\Windows\explorer.exeSection loaded: settingsync.dll
      Source: C:\Windows\explorer.exeSection loaded: smartscreenps.dll
      Source: C:\Windows\explorer.exeSection loaded: pcacli.dll
      Source: C:\Windows\explorer.exeSection loaded: sfc_os.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: edgegdi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
      Source: C:\Users\user\Desktop\Zoom.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: Zoom.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: Zoom.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

      Data Obfuscation

      barindex
      .NET source code contains method to dynamically call methods (often used by packers)
      Source: Zoom.exe, WatcherCodeInstance.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
      Source: Zoom.exe.0.dr, WatcherCodeInstance.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
      .NET source code contains potential unpacker
      Source: Zoom.exe, Consumer.cs.Net Code: ForgotTokenizer System.Reflection.Assembly.Load(byte[])
      Source: Zoom.exe.0.dr, Consumer.cs.Net Code: ForgotTokenizer System.Reflection.Assembly.Load(byte[])
      Suspicious powershell command line found
      Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String'
      Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String'Jump to behavior
      Source: Zoom.exeStatic PE information: 0xACB26237 [Mon Oct 24 09:28:23 2061 UTC]
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04922CA9 push 04B807D4h; retf 2_2_04922CAE
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA1F90 push 8BD88B72h; retf 4_2_00BA1F96
      Source: Zoom.exeStatic PE information: section name: .text entropy: 7.8678306288821815
      Source: Zoom.exe.0.drStatic PE information: section name: .text entropy: 7.8678306288821815
      Source: C:\Users\user\Desktop\Zoom.exeFile created: C:\Users\user\AppData\Roaming\Zoom.exeJump to dropped file

      Boot Survival

      barindex
      Monitors registry run keys for changes
      Source: C:\Windows\explorer.exeRegistry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunJump to behavior
      Source: C:\Windows\explorer.exeRegistry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZoomJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZoomJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\D1B229C21A0A68AF7DA7312615A134A4 57cea44528b4a4ada7e68dbaaab9333cJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Queries memory information (via WMI often done to detect virtual machines)
      Source: C:\Users\user\Desktop\Zoom.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
      Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
      Source: C:\Users\user\Desktop\Zoom.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
      Source: C:\Users\user\Desktop\Zoom.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
      Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
      Source: C:\Users\user\Desktop\Zoom.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
      Source: C:\Users\user\Desktop\Zoom.exeMemory allocated: 16F0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeMemory allocated: 33B0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeMemory allocated: 53B0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeMemory allocated: BA0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeMemory allocated: 2850000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeMemory allocated: 2760000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeMemory allocated: 1060000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeMemory allocated: 2B10000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeMemory allocated: 29C0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeWindow / User API: threadDelayed 9957Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9875Jump to behavior
      Source: C:\Users\user\Desktop\Zoom.exe TID: 4392Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6040Thread sleep count: 9875 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3500Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exe TID: 2856Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exe TID: 192Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 6912Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
      Source: C:\Users\user\Desktop\Zoom.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeMemory allocated: page read and write | page guardJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String'Jump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" remove-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'zoom';new-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'zoom' -value '"c:\users\user\appdata\roaming\zoom.exe"' -propertytype 'string'
      Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" remove-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'zoom';new-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'zoom' -value '"c:\users\user\appdata\roaming\zoom.exe"' -propertytype 'string'Jump to behavior
      Source: explorer.exe, 00000007.00000002.121432659149.00000000011B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progmanng
      Source: C:\Users\user\Desktop\Zoom.exeQueries volume information: C:\Users\user\Desktop\Zoom.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeQueries volume information: C:\Users\user\AppData\Roaming\Zoom.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeQueries volume information: C:\Users\user\AppData\Roaming\Zoom.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Users\user\Desktop\Zoom.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

      Stealing of Sensitive Information

      barindex
      Found many strings related to Crypto-Wallets (likely being stolen)
      Source: Zoom.exe, 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
      Source: Zoom.exe, 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty@fihkakfobkmkjojpchpfgcmhfjnmnfpi
      Source: Zoom.exe, 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus Web3@jiidiaalihmmhddjgbnbgdfflelocpak
      Source: Zoom.exe, 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
      Source: powershell.exe, 00000002.00000002.120992516238.0000000007D30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
      Tries to harvest and steal Bitcoin Wallet information
      Source: C:\Users\user\Desktop\Zoom.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
      Source: Yara matchFile source: 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Zoom.exe PID: 1260, type: MEMORYSTR

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts321
      Windows Management Instrumentation      		1
      Registry Run Keys / Startup Folder      		12
      Process Injection      		1
      Masquerading      		OS Credential Dumping1
      Query Registry      		Remote Services11
      Archive Collected Data      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Command and Scripting Interpreter      		1
      DLL Side-Loading      		1
      Registry Run Keys / Startup Folder      		1
      Modify Registry      		LSASS Memory53
      Security Software Discovery      		Remote Desktop Protocol1
      Data from Local System      		Junk DataExfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      PowerShell      		Logon Script (Windows)1
      DLL Side-Loading      		1
      Disable or Modify Tools      		Security Account Manager2
      Process Discovery      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook351
      Virtualization/Sandbox Evasion      		NTDS351
      Virtualization/Sandbox Evasion      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
      Process Injection      		LSA Secrets1
      Application Window Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      Deobfuscate/Decode Files or Information      		Cached Domain Credentials1
      File and Directory Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
      Obfuscated Files or Information      		DCSync223
      System Information Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job22
      Software Packing      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
      Timestomp      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
      DLL Side-Loading      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1557990 Sample: Zoom.exe Startdate: 18/11/2024 Architecture: WINDOWS Score: 100 54 Antivirus / Scanner detection for submitted sample 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Sigma detected: Set autostart key via New-ItemProperty Cmdlet 2->58 60 4 other signatures 2->60 8 Zoom.exe 4 3 2->8         started        13 Zoom.exe 3 2->13         started        15 svchost.exe 2->15         started        17 Zoom.exe 2 2->17         started        process3 dnsIp4 38 72.21.81.240 EDGECASTUS United States 8->38 40 172.81.130.139 DATAWAGONUS United States 8->40 34 C:\Users\user\AppData\Roaming\Zoom.exe, PE32 8->34 dropped 66 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 8->66 68 Suspicious powershell command line found 8->68 70 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->70 80 3 other signatures 8->80 19 explorer.exe 8->19         started        22 powershell.exe 1 11 8->22         started        24 explorer.exe 1 106 8->24         started        36 C:\Users\user\AppData\Local\...\Zoom.exe.log, ASCII 13->36 dropped 72 Antivirus detection for dropped file 13->72 74 Multi AV Scanner detection for dropped file 13->74 76 Machine Learning detection for dropped file 13->76 78 Found many strings related to Crypto-Wallets (likely being stolen) 13->78 42 127.0.0.1 unknown unknown 15->42 file5 signatures6 process7 signatures8 62 Monitors registry run keys for changes 19->62 26 chrome.exe 19->26         started        64 Found many strings related to Crypto-Wallets (likely being stolen) 22->64 29 conhost.exe 22->29         started        process9 dnsIp10 44 192.168.11.20 unknown unknown 26->44 46 239.255.255.250 unknown Reserved 26->46 31 chrome.exe 26->31         started        process11 dnsIp12 48 9.9.9.9 QUAD9-AS-1US United States 31->48 50 142.250.176.195 GOOGLEUS United States 31->50 52 7 other IPs or domains 31->52

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Zoom.exe100%AviraHEUR/AGEN.1323341
      Zoom.exe45%ReversingLabsByteCode-MSIL.Trojan.CrypterX
      Zoom.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\Zoom.exe100%AviraHEUR/AGEN.1323341
      C:\Users\user\AppData\Roaming\Zoom.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\Zoom.exe45%ReversingLabsByteCode-MSIL.Trojan.CrypterX

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.microsoft.co0%Avira URL Cloudsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF7M-dark0%Avira URL Cloudsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDfu-dark0%Avira URL Cloudsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMda-dark0%Avira URL Cloudsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13eu4J0%Avira URL Cloudsafe
      https://www.veranda.com/home-decorators/a30145134/micky-hurley-paris-apartment/0%Avira URL Cloudsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDfu0%Avira URL Cloudsafe
      http://pesterbdd.com/images/Pester.png0%Avira URL Cloudsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13g0tb0%Avira URL Cloudsafe
      https://www.northaustinfeet.com/bio/anne-sharkey.cfm0%Avira URL Cloudsafe
      http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13eu4J-dark0%Avira URL Cloudsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDrC-dark0%Avira URL Cloudsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF7M0%Avira URL Cloudsafe
      http://www.quovadis.bm00%Avira URL Cloudsafe
      https://www.veranda.com/house-tours/0%Avira URL Cloudsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF810%Avira URL Cloudsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPv00%Avira URL Cloudsafe
      https://www.veranda.com/decorating-ideas/advice-from-designers/a62830063/warm-and-cool-colors/0%Avira URL Cloudsafe
      https://www.mibbit.com/?url=%s0%Avira URL Cloudsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark0%Avira URL Cloudsafe
      https://www.nycprivatemedical.com/the-doctor0%Avira URL Cloudsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gowI0%Avira URL Cloudsafe
      http://schemas.m0%Avira URL Cloudsafe
      http://pesterbdd.com/images/Pester.png40%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://www.delish.com/cooking/g2021/fall-dessert-recipes/explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://www.elle.com/beauty/makeup-skin-care/g46652382/best-sheet-mask/explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240908.1/Weather/W01_Sunnexplorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://www.delish.com/cooking/recipe-ideas/recipes/a55502/pub-beer-cheese-recipe/explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://www.delish.com/cooking/recipe-ideas/recipes/a44140/pumpkin-deviled-eggs-recipe/explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://www.instagram.com/aliciayoon212/?hl=enexplorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://www.msn.com/en-us/news/us/aclu-files-lawsuit-seeking-details-on-trump-s-plan-for-mass-deportexplorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://www.microsoft.copowershell.exe, 00000002.00000002.120984169871.00000000030BD000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMda-darkexplorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.msn.com/en-us/sports/nfl/travis-kelce-and-chiefs-lose-first-game-of-the-season-as-patricexplorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://www.delish.com/cooking/recipe-ideas/g3026/fall-soup-recipes/explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://www.msn.com/en-us/news/technology/historians-thought-this-was-a-medieval-site-linked-to-kingexplorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://stacker.com/pets/animal-shelter-populations-are-heres-why-and-how-shelters-are-respondingexplorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://www.instagram.com/charlottejcho/?hl=enexplorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://www.delish.com/cooking/recipe-ideas/recipes/a50049/green-bean-casserole-bundles-recipe/explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.delish.com/cooking/a22999141/thanksgiving-ring-recipe/explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.msn.com/en-us/news/politics/union-bosses-say-democrats-need-to-overhaul-their-vision-to-explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.delish.com/cooking/a40984750/cannoli-chips-and-dip-recipe/explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://pki.goog/repo/certs/gtsr1.der04cert9.db.0.drfalse
                                          		high
                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF7M-darkexplorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.hollywoodreporter.com/tv/tv-news/sesame-street-changing-format-tales-from-123-season-56-explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.nature.com/articles/s41598-017-16118-6explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDfu-darkexplorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.120985265105.0000000004B41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://go.redirectingat.com?id=74968X1553576&url=https%3A%2F%2Fsokoglam.com%2F&sref=https%3A%2F%2Fwexplorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.msn.com/en-us/sports/nfl/lions-news-hc-dan-campbell-makes-something-clear-about-jared-goexplorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehR3S.svgexplorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exeZoom.exe, 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.120988706985.0000000005BAB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.delish.com/cooking/recipe-ideas/a35396804/butternut-squash-potstickers-recipe/explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13eu4Jexplorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://www.msn.com/en-us/news/politics/messy-fight-for-trump-s-treasury-chief-spills-into-public/arexplorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.msn.com/en-us/news/us/meet-the-newest-dog-breed-recognized-by-the-american-kennel-club-aexplorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.120985265105.0000000004B41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDfuexplorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://www.imdb.com/explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13g0tbexplorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://www.delish.com/cooking/recipe-ideas/a41848738/cranberry-whipped-feta-dip-recipe/explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.census.gov/library/stories/2023/09/why-people-move.htmlexplorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://stackoverflow.com/q/14436606/23354Zoom.exe, 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.msn.com/en-us/sports/nfl/nfl-week-12-power-rankings-steelers-eagles-bills-climb-as-ravenexplorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.120990536175.0000000007508000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.120985265105.0000000004C97000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.120990536175.0000000007508000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.120985265105.0000000004C97000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.omdbapi.com/explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.northaustinfeet.com/bio/anne-sharkey.cfmexplorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://www.delish.com/cooking/g1702/casserole-recipes/explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.msn.com/en-us/movies/news/25-stunning-comebacks-roles-that-resurrected-hollywood-careersexplorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.veranda.com/home-decorators/a30145134/micky-hurley-paris-apartment/explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://contoso.com/Iconpowershell.exe, 00000002.00000002.120988706985.0000000005BAB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.msn.com/en-us/health/other/13-best-ballet-flats-with-arch-support-so-you-can-get-in-on-texplorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.delish.com/cooking/recipe-ideas/recipes/a57209/cranberry-brie-pull-apart-bread-recipe/explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://crl.rootca1.amazontrust.com/rootca1.crl0cert9.db.0.drfalse
                                                                                            		high
                                                                                            http://crl.pki.goog/gtsr1/gtsr1.crl0Wcert9.db.0.drfalse
                                                                                              		high
                                                                                              http://ocsp.rootca1.amazontrust.com0:cert9.db.0.drfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://www.msn.com/en-us/lifestyle/shopping/10-fashion-gifts-you-won-t-believe-are-from-walmart-allexplorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13eu4J-darkexplorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://pki.goog/repository/0cert9.db.0.drfalse
                                                                                                  		high
                                                                                                  https://www.niche.com/places-to-live/search/best-places-to-live/?type=city&type=suburb&type=townexplorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://www.census.gov/newsroom/press-releases/2024/population-estimates-more-counties-population-gaexplorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.delish.com/cooking/recipe-ideas/a62779542/cranberry-cream-cheese-spread-recipe/explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.120990536175.0000000007508000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.120985265105.0000000004C97000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://www.msn.com/en-us/lifestyle/lifestyle-buzz/off-grid-homeowners-spark-inspiration-with-imagesexplorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://www.prevention.com/beauty/style/g45626343/best-jeans-for-women-over-50/explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDrC-darkexplorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://www.cnn.com/travel/article/bachelorette-party-nashville-tennessee/index.htmlexplorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://www.msn.com/en-us/lifestyle/pets/the-dog-breed-that-lives-the-longest-based-on-data-and-see-explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://support.mozilla.org/en-GB/products/firefoxfavicons.sqlite.0.drfalse
                                                                                                                    		high
                                                                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF7Mexplorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://www.delish.com/cooking/recipe-ideas/a50000/sweet-potato-bites-recipe/explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://www.veranda.com/house-tours/explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://www.msn.com/en-us/news/us/should-women-be-allowed-to-fight-on-the-front-lines-trump-s-defensexplorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://stackoverflow.com/q/2152978/23354rCannotZoom.exe, 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://www.mibbit.com/?url=%shandlers.json.0.drfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://www.veranda.com/decorating-ideas/advice-from-designers/a62830063/warm-and-cool-colors/explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://www.msn.com/en-us/sports/nfl/ravens-justin-tucker-blames-acrisure-stadium-for-terrible-outinexplorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://www.msn.com/en-us/weather/forecast/in-New-York?loc=eyJsIjoiTmV3IFlvcmsiLCJyIjoiTmV3IFlvcmsiLexplorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehR3S.pngexplorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF81explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://www.msn.com/en-us/health/other/these-korean-skin-care-brands-will-give-you-glass-skin/ss-BB1explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://support.mozilla.org/en-GB/products/firefoxgro.allizom.troppus.places.sqlite.0.drfalse
                                                                                                                                    		high
                                                                                                                                    http://www.quovadis.bm0powershell.exe, 00000002.00000002.120984169871.0000000003037000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPv0explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    https://www.delish.com/cooking/recipe-ideas/g2957/easy-fall-dinners/explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://support.mozilla.org/en-GB/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefavicons.sqlite.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://www.msn.com/en-us/foodanddrink/recipes/60-appetizer-recipes-that-ll-get-the-party-started-thexplorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://www.msn.com/en-us/news/politics/biden-in-the-background-at-g20-summit-as-leaders-brace-for-sexplorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://www.delish.com/food/g2168/bite-size-appetizers/explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://www.delish.com/cooking/g1967/fall-cocktails-recipes/explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://www.nycprivatemedical.com/the-doctorexplorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                https://www.msn.com/en-us/entertainment/news/fans-choose-jin-s-happy-as-this-week-s-favorite-new-musexplorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-darkexplorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://www.delish.com/cooking/recipe-ideas/a45623/bacon-wrapped-jalapenos-recipe/explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://compose.mail.yahoo.com/?To=%shandlers.json.0.drfalse
                                                                                                                                                      		high
                                                                                                                                                      http://pesterbdd.com/images/Pester.png4powershell.exe, 00000002.00000002.120985265105.0000000004C97000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      		unknown
                                                                                                                                                      https://aka.ms/odirm#3explorer.exe, 00000007.00000003.121365720001.0000000009C66000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.121365508103.0000000009C5A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.121389185482.0000000009C35000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.121384670529.0000000009C35000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009C46000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.121369839866.0000000009C19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.121365088329.0000000009C40000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gowIexplorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                        		unknown
                                                                                                                                                        https://www.msn.com/en-us/foodanddrink/recipes/meatloaf-gourmet-style/ar-BB1qWDmxexplorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://windows.msn.com:443/shellv2?osLocale=en-us&chosenMarketReason=implicitExistingexplorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://schemas.mexplorer.exe, 00000007.00000003.121388869679.000000000E9F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121438534222.000000000E9D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                            		unknown

                                                                                                                                                            World Map of Contacted IPs

                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                            Public IPs

                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                            72.21.81.240
                                                                                                                                                            		unknownUnited States
                                                                                                                                                            		15133EDGECASTUSfalse
                                                                                                                                                            9.9.9.9
                                                                                                                                                            		unknownUnited States
                                                                                                                                                            		19281QUAD9-AS-1USfalse
                                                                                                                                                            1.1.1.1
                                                                                                                                                            		unknownAustralia
                                                                                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                                                                                            142.250.65.174
                                                                                                                                                            		unknownUnited States
                                                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                                                            142.250.65.228
                                                                                                                                                            		unknownUnited States
                                                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                                                            172.81.130.139
                                                                                                                                                            		unknownUnited States
                                                                                                                                                            		27176DATAWAGONUSfalse
                                                                                                                                                            142.250.65.227
                                                                                                                                                            		unknownUnited States
                                                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                                                            239.255.255.250
                                                                                                                                                            		unknownReserved
                                                                                                                                                            		unknownunknownfalse
                                                                                                                                                            142.251.41.10
                                                                                                                                                            		unknownUnited States
                                                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                                                            142.250.176.195
                                                                                                                                                            		unknownUnited States
                                                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                                                            142.250.31.84
                                                                                                                                                            		unknownUnited States
                                                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                                                            142.250.65.234
                                                                                                                                                            		unknownUnited States
                                                                                                                                                            		15169GOOGLEUSfalse

                                                                                                                                                            Private

                                                                                                                                                            IP
                                                                                                                                                            192.168.11.20
                                                                                                                                                            127.0.0.1

                                                                                                                                                            General Information

                                                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                            Analysis ID:1557990
                                                                                                                                                            Start date and time:2024-11-18 20:55:51 +01:00
                                                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                                                            Overall analysis duration:0h 16m 44s
                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                            Report type:full
                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                            Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                                                                            Run name:Suspected VM Detection
                                                                                                                                                            Number of analysed new started processes analysed:28
                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                            Technologies:
                                                                                                                                                            • HCA enabled
                                                                                                                                                            • EGA enabled
                                                                                                                                                            • AMSI enabled
                                                                                                                                                            Analysis Mode:default
                                                                                                                                                            Sample name:Zoom.exe
                                                                                                                                                            Detection:MAL
                                                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@39/70@0/14
                                                                                                                                                            EGA Information:Failed
                                                                                                                                                            HCA Information:
                                                                                                                                                            • Successful, ratio: 91%
                                                                                                                                                            • Number of executed functions: 34
                                                                                                                                                            • Number of non-executed functions: 15
                                                                                                                                                            Cookbook Comments:
                                                                                                                                                            • Found application associated with file extension: .exe
                                                                                                                                                            • Override analysis time to 240s for sample files taking high CPU consumption

                                                                                                                                                            Warnings

                                                                                                                                                            • Max analysis timeout: 600s exceeded, the analysis took too long
                                                                                                                                                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, UserOOBEBroker.exe, backgroundTaskHost.exe, svchost.exe, StartMenuExperienceHost.exe, mobsync.exe, SearchApp.exe
                                                                                                                                                            • Execution Graph export aborted for target Zoom.exe, PID 1260 because it is empty
                                                                                                                                                            • Execution Graph export aborted for target Zoom.exe, PID 7756 because it is empty
                                                                                                                                                            • Execution Graph export aborted for target powershell.exe, PID 7772 because it is empty
                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                            • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                            • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                            • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                            • Skipping network analysis since amount of network traffic is too extensive
                                                                                                                                                            • VT rate limit hit for: Zoom.exe

                                                                                                                                                            Simulations

                                                                                                                                                            Behavior and APIs

                                                                                                                                                            TimeTypeDescription
                                                                                                                                                            14:57:57API Interceptor3x Sleep call for process: powershell.exe modified
                                                                                                                                                            14:58:03API Interceptor23847683x Sleep call for process: Zoom.exe modified
                                                                                                                                                            14:58:35API Interceptor6226x Sleep call for process: explorer.exe modified
                                                                                                                                                            15:00:52API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                                                                            20:58:01AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Zoom C:\Users\user\AppData\Roaming\Zoom.exe
                                                                                                                                                            20:58:09AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Zoom C:\Users\user\AppData\Roaming\Zoom.exe

                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                            IPs

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                            72.21.81.240BAT6357377.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                              E5wbN5MIkS.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                yyyyyyyyyyyy.msgGet hashmaliciousDarkGate, MailPassViewBrowse
                                                                                                                                                                  file300un.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                                                                    https://download.filezilla-project.org/client/FileZilla_3.67.0_win64_sponsored2-setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                      jNeaezBuo8.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                                                                                        https://downloads.decipher-media.com/DecipherTextMessage.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          JWQgbclQK5Get hashmaliciousPureLog StealerBrowse
                                                                                                                                                                            Facture_160087511.htmlGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                              GracehealthmiSMKB478467348838.rtfGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                9.9.9.9Must-School-Districts-In-California-Offer-Free-Healthcare-For-Employees.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  pdfguruhub.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                    ACHAT DE 2 IMMEUBLES.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      allpdfpro.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                                                                                                                                                          Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              file.exeGet hashmaliciousAmadey, LummaC Stealer, XWormBrowse
                                                                                                                                                                                                http://assets.website-files.com/65e885e17261602dcdc10dce/663166d899226eaa1af23d4b_kilexi.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  All-in-one Calculation Tool.xlsmGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    1.1.1.1PO-230821_pdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                                                                                                                                                    • www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
                                                                                                                                                                                                    AFfv8HpACF.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • 1.1.1.1/
                                                                                                                                                                                                    INVOICE_90990_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                    • www.quranvisor.com/usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S
                                                                                                                                                                                                    Go.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • 1.1.1.1/

                                                                                                                                                                                                    Domains

                                                                                                                                                                                                    No context

                                                                                                                                                                                                    ASNs

                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                    CLOUDFLARENETUSKsciarillo_Reord_Adjustment.docxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • 104.18.94.41
                                                                                                                                                                                                    http://winningwriters.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                                                    Play_vm_Message_for_Melissa.medina_wav_ .htmGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                                                                                                                                                    • 104.18.95.41
                                                                                                                                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                                                    Portfolio Review _2024.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • 104.17.25.14
                                                                                                                                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                                                    http://jofilesjo.com/error.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • 172.67.68.105
                                                                                                                                                                                                    401(k) for Corerecon.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                    • 1.1.1.1
                                                                                                                                                                                                    https://recaptcha-checking-v3.b-cdn.net/verifyme.htmlGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                                                                                                    • 1.1.1.1
                                                                                                                                                                                                    QUAD9-AS-1USMust-School-Districts-In-California-Offer-Free-Healthcare-For-Employees.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • 9.9.9.9
                                                                                                                                                                                                    pdfguruhub.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • 9.9.9.9
                                                                                                                                                                                                    ACHAT DE 2 IMMEUBLES.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • 9.9.9.9
                                                                                                                                                                                                    allpdfpro.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • 9.9.9.9
                                                                                                                                                                                                    rPO3799039985.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                    • 149.112.112.112
                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                                                                                                                                                                    • 9.9.9.9
                                                                                                                                                                                                    Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • 9.9.9.9
                                                                                                                                                                                                    Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • 9.9.9.9
                                                                                                                                                                                                    file.exeGet hashmaliciousAmadey, LummaC Stealer, XWormBrowse
                                                                                                                                                                                                    • 9.9.9.9
                                                                                                                                                                                                    http://assets.website-files.com/65e885e17261602dcdc10dce/663166d899226eaa1af23d4b_kilexi.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • 9.9.9.9
                                                                                                                                                                                                    EDGECASTUSPlay_vm_Message_for_Melissa.medina_wav_ .htmGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                                                                                                                                                    • 152.199.21.175
                                                                                                                                                                                                    Portfolio Review _2024.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • 152.199.21.175
                                                                                                                                                                                                    https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-1A856199AY9332828%2FU-77630530J42133249%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=x4wp2RUmKXGU83Jd60oXqZdbNaAB4UhpJw4A.w&expId=p2p&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-1A856199AY9332828%2FU-77630530J42133249%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3Dx4wp2RUmKXGU83Jd60oXqZdbNaAB4UhpJw4A.w%22%7D%7D&flowContextData=rJEDMuqXOHvj3E4Xqee4TJrpH0yS3i0-L1aDZuSDahKFB0OfOcuDAlxm_0M5Ubdc0ovfBJsmVPh8V0xxj3Fj-jL1pDEjzZXbSFx3oGm782P2l2ClRKt5Tg4HaLdY7a5agl75BZWTfqGUoK21DzHAjn1ZzwB4cHlE2xNmSofOhY9eCJeN9IzINAo1Y0VwMbAz_9hKqbv_N3UNRr6ldWkvwl6vuUacgbkE_SUfKB2fRyRqHqyPhOED3_9zyxA9XG6tpv71j-BSBqPxdGk09L9Cebz49cjzxXoPiVibFBG4RQ0rHrPokjksEXTCG2F0j2gFPXI0xsSjWnCRhVvjeYQ6Bv5lgbaBGPSp8S-U9P1SucMa3p7xZy-eG5yF-VzVRZiwC1eVU5NgaXx51Em4tQjnFVE9YpehkF9gpnmNB8fOqFWMXJ5Klz1YTzOx6TomIwmAVNZK_XE8YFJ59HpxJPie41yUUbOCj59lTY6RURRqHsTOEi0tkBWQNzZYsYvqAngTUp2pA4Zv5sLe92lMGyMw01S1i7WsRLLrQHKo0hAz3AKaWNYXoHJxt23b819B9kqC9Tdwa0&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=820e63b7-a5d6-11ef-9a81-15d321eebece&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&unptid=820e63b7-a5d6-11ef-9a81-15d321eebece&calc=f966800b39326&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.293.0&tenant_name=&xt=145585%2C150948%2C104038&link_ref=www.paypal.com_signinGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    • 192.229.221.25
                                                                                                                                                                                                    mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                    • 152.199.65.22
                                                                                                                                                                                                    NoteID [4962398] _Secure_Document_Mrettinger-46568.docxGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                    • 152.199.21.175
                                                                                                                                                                                                    FRSSDE.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                    • 152.195.19.97
                                                                                                                                                                                                    file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                    • 152.195.19.97
                                                                                                                                                                                                    https://t.ly/sID8iGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                    • 152.199.21.175
                                                                                                                                                                                                    https://pzpvsr8w.r.us-west-2.awstrack.me/L0/https:%2F%2Flmmoya.online%2Fcave.html/1/010101933f26e1e0-1115fe0b-5025-44be-8af4-15d6df5c778e-000000/HfxdUzBUygbU0CHkcLEJKW7Wybk=401Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                                                                                                                                                    • 152.199.21.175
                                                                                                                                                                                                    http://login.nojustgive.com/ueAQYUzzGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                    • 152.199.21.175

                                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                                    No context

                                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                                    No context

                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x22b3949e, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):1048576
                                                                                                                                                                                                    Entropy (8bit):0.8697351675949698
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:LSB2qSB2gSjlK/LfDalKohVF8/bGLBSBLil2d/3Cr5DHzk/3A5v7GoCnLKxKHKrx:LapaQK0yfOD8F31Xw
                                                                                                                                                                                                    MD5:5EF19539EE05F28464B023203A9CC96E
                                                                                                                                                                                                    SHA1:A035813236417D480DD578A882656CE2208530A1
                                                                                                                                                                                                    SHA-256:8FEE9E92E40B217C706532AB4E5DE01CA97D0421A98ED317E39AD4C5534CD38E
                                                                                                                                                                                                    SHA-512:77A677FC04D6D9093F97D27ED947653603D9F6A9C65CC78F240BEC98EE28C3E9E2754D63E8C4E49E6C69AD459299C5FFDE76FB784E1C7BA67D5C7B790AF0D26E
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:"...... ................p..*9...y........................0..........|).4....|U.h.2...........................).*9...y..........................................................................................................bJ......n....@...................................................................................................... ........3...{g......................................................................................................................................................................................................................................TD~4....|U...................]u4....|U..........................#......h.2.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):328
                                                                                                                                                                                                    Entropy (8bit):3.546532757495186
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:6:kKLd8wCsTwD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:TdhsImsLNkPlE99SNxAhUe/3
                                                                                                                                                                                                    MD5:75BA8AFC64308822BE9F47717D774FC1
                                                                                                                                                                                                    SHA1:F14051E6A99CBFF06001253214F763F41CAE3782
                                                                                                                                                                                                    SHA-256:777807B3E51E959D510B0B61E416ACE6E278A5C2A5DBF681F68A66A2F1F996E9
                                                                                                                                                                                                    SHA-512:76FEF42BF758270F435AFA0B8ED6BA1075B6EECB6DE2FC0FCDB1EF7D7FCE67085A5B74DAD29B7E553420B27E6A77A6256AF6ED69ADE32789377F1A6A11A1DA9A
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:p...... ............=..(...............................................U...=?.. ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Zoom.exe.log

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\AppData\Roaming\Zoom.exe
                                                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):1183
                                                                                                                                                                                                    Entropy (8bit):5.356029462517172
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:24:ML9E4K1BIKDE4KhKMaKhRAE4KzDAfE4KnKIE4oKnKo9E4KhROtHM:MxHK1BIYHKh6oRAHKzMfHKntHoAlHKh/
                                                                                                                                                                                                    MD5:54AC8B422C14A1D319806B83D3E54233
                                                                                                                                                                                                    SHA1:A030D676C9697AFAE3D4499EC142700FE059AB38
                                                                                                                                                                                                    SHA-256:A2A67CCAE5BBACFA68E3403DC2F3177F3DA6CD234A0821DA39CB3387C1C5FDFE
                                                                                                                                                                                                    SHA-512:59F41ED9281AED912B0AA719913D351DEC57AF968F490C99D668E033EB2C936B4C813C59C94EB003AE59DB06EEBCCCC8E5426AAE58D003C04B443EC2159B6643
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\827465c25133ff582ff7ddaf85635407\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\374ae62ebbde44ef97c7e898f1fdb21b\System.Core.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\10879c5bddb2dd2399e2098d5ca5c9d1\System.Xml.ni.dll",0..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\b863adc9d550931e279ac7e2ee517d1f\System.Configuration.ni.dll",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=n

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000040.db

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\explorer.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):103024
                                                                                                                                                                                                    Entropy (8bit):4.011828162670989
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:2kB+JCviYiciooz7vpAi8XGpnoiUiZR7+IT/l:2kB+JCviYicioozjeij7+ITt
                                                                                                                                                                                                    MD5:5DF567A82D54AE5EA2C52E1C2AAC0539
                                                                                                                                                                                                    SHA1:81AC902A586FE22107FD027E92AF7ED22C4C3232
                                                                                                                                                                                                    SHA-256:119B56575118FE06D88E8CDC6D5F64DD89321081B36CB00C47B109BD6FEE2AD8
                                                                                                                                                                                                    SHA-512:374B1AB47BC619820F17280A51D0C7BFDCCA188B9C53FEFE7DC2D63FB917CE2ABE0033E78FEB9D55AD30E716E552FE560302060AAAF8891AF53CD454CAFD6F72
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:....h... ...p...........P...............P.......Y..................H...N.......e.n.-.U.S.;.e.n.-.G.B..............................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................A.r.t.h.u.r.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u......................(..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>...........................................

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000041.db

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\explorer.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):103024
                                                                                                                                                                                                    Entropy (8bit):4.013140636475992
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:768:HlEnktGTmO3Ljk0uJCviYiciooz7vNNhLKB9DqPtvmMSU9R1vokyXMmuypL3gUiz:qk4+JCviYiciooz7vei8XGpnjr+ITnl
                                                                                                                                                                                                    MD5:2E58FC431958D492DBAC2F685DDF77B3
                                                                                                                                                                                                    SHA1:739DA7A53347BE0C9F17EB74FFC4E3DAB27D4B15
                                                                                                                                                                                                    SHA-256:9FBCFAD1E0C9A74397A38A1C96B017D9397968F5A21DD7567DD22EB868C32E9E
                                                                                                                                                                                                    SHA-512:764C4AEF5FF02F5187AD1BF5865A5A344D4B0EB37B073B7A5D426BAFCABEA904C5F9643E8221FE6C55939EDCC35739A8D4B3551B6B7935EE9A1C8D3FB315A92F
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:....h... ...p...........P...............P.......Y..................H...N.......e.n.-.U.S.;.e.n.-.G.B..............................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................A.r.t.h.u.r.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u......................(..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>...........................................

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):64
                                                                                                                                                                                                    Entropy (8bit):0.34726597513537405
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Nlll:Nll
                                                                                                                                                                                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:@...e...........................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fnzcxkir.mkc.psm1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sacdv3l2.3dm.ps1

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\AlternateServices.txt

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:ASCII text
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):290
                                                                                                                                                                                                    Entropy (8bit):4.6817296791758745
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:6:2gIjWPYZRgIjWPeWPqUdlfE0v0qfxNdtYZRtdtl0dtqUdlfE0v0qfxM:2NjWQFjWWWSYfjde1dodUYfW
                                                                                                                                                                                                    MD5:D5F55C491DA91E978278C64347BD5444
                                                                                                                                                                                                    SHA1:4A19AFB55C259898DF563FE6886991CCA17C7E5A
                                                                                                                                                                                                    SHA-256:6191E59701A5BE3D1E494F0AC61501D81DD80708E47B72371A3523941310F782
                                                                                                                                                                                                    SHA-512:C3BB9EC0098A9E47DFFA4FA93E2D3AD46549803F91E1EAE1E34367D5A5B9B278D12E55F28865BA0565A0104533EC919C582F3D28371C1BAE62E9CC36286B7C28
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:https:r2---sn-4g5ednsk.gvt1.com:443:.::3.0.18857.https:r2---sn-4g5ednsk.gvt1.com:443:r2---sn-4g5ednsk.gvt1.com:443::n:1631877068:h3:y:1629285047:n::|n:y:.https:redirector.gvt1.com:443:.::3.0.18857.https:redirector.gvt1.com:443:redirector.gvt1.com:443::n:1631877068:h3:y:1629285047:n::|n:y:.

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\SiteSecurityServiceState.txt

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):599
                                                                                                                                                                                                    Entropy (8bit):5.386036945865638
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:12:SLFbuBMQceauAGQn255r4LodoTgedqF6JdI0/7aasg:SBKDcOAGI255r4/bAFidI0/7aa1
                                                                                                                                                                                                    MD5:C6C450C79D047130365B2D7023ED8956
                                                                                                                                                                                                    SHA1:B6EA3F9BD6123647586571BD327A843C76A934EC
                                                                                                                                                                                                    SHA-256:6F3DAAA9BF42432CCB759618208BD508826FEEC6ACED2A5B34E4911E502CB028
                                                                                                                                                                                                    SHA-512:C000DA00189AB761412C2A28A649D7533DA7AC0430B2795CE805054EE6DA69AD31DB36458F90A6529416BB3697F83D8D010950F896534839F2C4A81C40DB5DEA
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:....<?xml. version.="1.0" e.ncoding=."utf-8"?.>..<Conf@igurat..S.ource V.l..H .Let T.ype="pro.v.." Sett...sGroup=."2dd0a06.6-7ca2-5.bd8-8371.-225edda.f6ef5" D.ata="$(_..F)\RunTi.me\0__Po.wer..licyB..dAoAc..". /V._...K1.K.!1" .[Pla.tformRol..2.V.9.V8.+.|._.BT+2.|.VE....!Range:0.,._Proces.sorVendo.r="!patt.ern:(.*Q.ualcomm..*)?>.>3.?>R.'.8....</..>....?.?.?.?.?.?.?..?.?.?.?.?.?.?.?..?.?.?.?.?.?.?.?..?.?.?.?..........................................................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\addons.json

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):24
                                                                                                                                                                                                    Entropy (8bit):3.91829583405449
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:YWGifTJE6iHQ:YWGif9EE
                                                                                                                                                                                                    MD5:3088F0272D29FAA42ED452C5E8120B08
                                                                                                                                                                                                    SHA1:C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
                                                                                                                                                                                                    SHA-256:D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
                                                                                                                                                                                                    SHA-512:B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:{"schema":6,"addons":[]}

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\broadcast-listeners.json

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):216
                                                                                                                                                                                                    Entropy (8bit):4.745779869552726
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:6:YWLSf85jcM2MAfeKSyPSRJKGDuQ6s/WoMmgjwHbSRmnPE2cb:YWLSf6gMAfzSyqAGDNFMmqmpncBb
                                                                                                                                                                                                    MD5:52EE553AFA64723FD4F1BAFB552F5FC2
                                                                                                                                                                                                    SHA1:F134349B224F6C7A5918415955A2069B69F28EB9
                                                                                                                                                                                                    SHA-256:8E128BF88A7D0CD2B14766E5BE9760EE9935C789FB451C4EBFDEBC4BFF4CB2E7
                                                                                                                                                                                                    SHA-512:19FBCE641DAD16897CD68C163448FE08CC52DA213ABEBBDC1F8BBA6EF67D1ED283799167F718713E02F7B5E21283D0AE69E2F86DEA2B5FD2072B216C32271B2C
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:{"version":1,"listeners":{"remote-settings/monitor_changes":{"version":"\"1642647459958\"","sourceInfo":{"moduleURI":"resource://services-settings/remote-settings.js","symbolName":"remoteSettingsBroadcastHandler"}}}}

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\cert9.db

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3036000, page size 32768, file counter 6, database pages 7, cookie 0x5, schema 4, UTF-8, version-valid-for 6
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):229376
                                                                                                                                                                                                    Entropy (8bit):0.567777845686793
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:192:qOFva0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23v0HnextcyS50+xHx9TSufMOgyR:f1zkVmvQhyn+Zoz67rHD8+xNleMM0ALe
                                                                                                                                                                                                    MD5:34FCEF8DCBAA19CB895F3E280BF0491F
                                                                                                                                                                                                    SHA1:E7B3276EA91E6007DE56F24657BE1E9E6C98B3AB
                                                                                                                                                                                                    SHA-256:71BCE13AFFA09CE1917524B87D0900E65E93CA697DE079BEADCADED54C6BF3A4
                                                                                                                                                                                                    SHA-512:10AC19D7C19867226D223F579BFB1E933D44DB3EAFA53BF56E20D19328271913FA5ABD121D392AC01AE9FF555A9C61C237ED7F98FA763B6F9ED31A93375CEAF9
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................S`.....z..{...{.{j{*z.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\compatibility.ini

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:Windows WIN.INI
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):199
                                                                                                                                                                                                    Entropy (8bit):5.392302626810697
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:tZAQcmKUUmrXUmUW2NE2aT/P4WX1rDZjrEFwHQ3ZjrEFwslyy:fPHrXHUNbabN1rDVEFycVEFL
                                                                                                                                                                                                    MD5:2FD627F0CA372F088FC7F1E670CAB275
                                                                                                                                                                                                    SHA1:5905501623F3306F2D67443A7CD8EFEA15BA87A4
                                                                                                                                                                                                    SHA-256:2CAA3A1AF5F8284DEFAD3AAFD89918FE4103E15A3C8DBCF3828D56CD657B9AF3
                                                                                                                                                                                                    SHA-512:4E1512EBC7FFE61A7C5FE122830D5E767A6A906276F469D1FAE82D6F2E85064346E177EEF0950C893AA3C28F2CB4D6BC67DE722B29A39E25A84F4B7EF7E4544C
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:[Compatibility]..LastVersion=91.0.1_20210816143654/20210816143654..LastOSABI=WINNT_x86_64-msvc..LastPlatformDir=C:\Program Files\Mozilla Firefox..LastAppDir=C:\Program Files\Mozilla Firefox\browser..

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\containers.json

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):939
                                                                                                                                                                                                    Entropy (8bit):4.6537982971213685
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:24:YWLSWfBfC8DJ1Cfvu7Ff/E4fu7qfU9RqRVu73fRzdUsu7kfASA6fXmSy2y:YWLvfBfC8r7Ff/ET7qfU9Ai73fRzdU35
                                                                                                                                                                                                    MD5:94A3843FAD8C45C48B0E07342DF3DFDC
                                                                                                                                                                                                    SHA1:D55B650208BDA884D573AFEBD90830A3F4D7C201
                                                                                                                                                                                                    SHA-256:854FF2076F71097B030C302A1EA71D8E851D2920B9FF5FC8DC8F16C91BA95B72
                                                                                                                                                                                                    SHA-512:4D2A6B2A223AD81BB97195ABB27685CF88453CAF5769DE154B373486D5245F02E0C0F664281D8E3BB33BFCDF1D6F7B3D9602303864D4E56481382ADCB0B932DB
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:{"version":4,"lastUserContextId":5,"identities":[{"userContextId":1,"public":true,"icon":"fingerprint","color":"blue","l10nID":"userContextPersonal.label","accessKey":"userContextPersonal.accesskey","telemetryId":1},{"userContextId":2,"public":true,"icon":"briefcase","color":"orange","l10nID":"userContextWork.label","accessKey":"userContextWork.accesskey","telemetryId":2},{"userContextId":3,"public":true,"icon":"dollar","color":"green","l10nID":"userContextBanking.label","accessKey":"userContextBanking.accesskey","telemetryId":3},{"userContextId":4,"public":true,"icon":"cart","color":"pink","l10nID":"userContextShopping.label","accessKey":"userContextShopping.accesskey","telemetryId":4},{"userContextId":5,"public":false,"icon":"","color":"","name":"userContextIdInternal.thumbnail","accessKey":""},{"userContextId":4294967295,"public":false,"icon":"","color":"","name":"userContextIdInternal.webextStorageLocal","accessKey":""}]}

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\content-prefs.sqlite

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:SQLite 3.x database, user version 4, last written using SQLite version 3036000, page size 32768, file counter 1, database pages 7, cookie 0x6, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):229376
                                                                                                                                                                                                    Entropy (8bit):0.05477157492870174
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:24:DLinHvwae+QDUu5xxjaWewLxYkKS55huA:DePwae+QYMbleuekKS55
                                                                                                                                                                                                    MD5:5A669D8AF20D4C176095995D2D283530
                                                                                                                                                                                                    SHA1:1BA2DB89B20379F3D4737C93609B89E07F2E237E
                                                                                                                                                                                                    SHA-256:9DBECD72FB3F52199437A3453564986E53E0E9D6F350CB979C4230CA4ECA2F4E
                                                                                                                                                                                                    SHA-512:C3D5C27CA9D275C8C0B3C3A84311C2F0ED88744480B529C458C6D86F9196D3CA2380384774753C163BEB4CA2B022132F2FDF4AF9562F2862DBB6C3597CB6102E
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................S`.....|....~.}.}z}-|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\cookies.sqlite

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:SQLite 3.x database, user version 12, last written using SQLite version 3036000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):98304
                                                                                                                                                                                                    Entropy (8bit):0.08231524779339361
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:12:DQANJfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQANJff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                                                    MD5:886A5F9308577FDF19279AA582D0024D
                                                                                                                                                                                                    SHA1:CDCCC11837CDDB657EB0EF6A01202451ECDF4992
                                                                                                                                                                                                    SHA-256:BA7EB45B7E9B6990BC63BE63836B74FA2CCB64DCD0C199056B6AE37B1AE735F2
                                                                                                                                                                                                    SHA-512:FF0692E52368708B36C161A4BFA91EE01CCA1B86F66666F7FC4979C6792D598FF7720A9FAF258F61439DAD61DB55C50D992E99769B1E4D321EC5B98230684BC5
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................S`.....}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\crashes\events\b1b9218b-5a2a-4f20-8169-922c29c9cd49

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:ASCII text, with very long lines (32764)
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):32826
                                                                                                                                                                                                    Entropy (8bit):5.15797451550494
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:768:ecYZs6cB461urNuQp+IsBsIsBcuCULnPXuk01vB:nYZs69uQpUtsPWZ
                                                                                                                                                                                                    MD5:E1892BB22C5ECA605B88C7266C1D4A53
                                                                                                                                                                                                    SHA1:1C39516B01745F95BC4E1943338918F3AE09ECE9
                                                                                                                                                                                                    SHA-256:F60F22E5214FAEC53D7F23DB62EB0FA0DD12B520EE481E514AB66C1561EB5F7C
                                                                                                                                                                                                    SHA-512:7E48569A1AAEC57275F1CE8DF273A92D9518682FCAF539B02232914A2A865B1A7A753802A0882B14B9FB0C0AC8B181C9C33B4766D37BBFFA7FE3552B96A4082A
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:crash.main.3.1642668797.b1b9218b-5a2a-4f20-8169-922c29c9cd49.{"AdapterDeviceID":"0x3e98","AdapterDriverVersion":"27.20.100.9415","AdapterSubsysID":"3e981849","AdapterVendorID":"0x8086","Add-ons":"doh-rollout%40mozilla.org:2.0.0,formautofill%40mozilla.org:1.0.1,pictureinpicture%40mozilla.org:1.0.0,screenshots%40mozilla.org:39.0.1,webcompat%40mozilla.org:24.2.0,default-theme%40mozilla.org:1.2,google%40search.mozilla.org:1.1,chambers-en-GB%40search.mozilla.org:1.0,wikipedia%40search.mozilla.org:1.1,bing%40search.mozilla.org:1.3,amazon%40search.mozilla.org:1.9,ddg%40search.mozilla.org:1.1,ebay%40search.mozilla.org:1.3","AvailablePageFile":"17117495296","AvailablePhysicalMemory":"14416084992","AvailableVirtualMemory":"138531259502592","BreakpadReserveAddress":"1771432640512","BreakpadReserveSize":"83886080","BuildID":"20210816143654","CPUMicrocodeVersion":"0xca","ContentSandboxCapable":"1","ContentSandboxLevel":"6","ContentSandboxWin32kState":"Win32k Lockdown disabled -- Preference not set"

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\archived\2022-01\1642668732354.d5086e2e-a2f2-4367-adfe-925ac1cc9e8b.health.jsonlz4

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:Mozilla lz4 compressed data, originally 489 bytes
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):443
                                                                                                                                                                                                    Entropy (8bit):5.601832767336151
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:12:vlcFg6H0IisJHMVHkTHBP08euzv/50sBnGQJB4:v5sVGkTZ08eo/5Hw9
                                                                                                                                                                                                    MD5:7784BD5BE4CB40F0F9AB083CB755B7A3
                                                                                                                                                                                                    SHA1:0310BC9532EA4F259A09E759D976AB33709763FE
                                                                                                                                                                                                    SHA-256:8CEFDD37D22F247261B46340F74778E8008E6929E110BF87F3175372C1C4B373
                                                                                                                                                                                                    SHA-512:71472DDD499C9BCFFA69F158A2838F93AADEBCB3B2241493F830EC842F16FF9E84FA0FAFCDBE242F8EE39B2E61364CA061E3B333EEEBA8E227167FC435AF54AF
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:mozLz40......k{"type":"health","id":"d5086e2e-a2f2-4367-adfe-925ac1cc9e8b","creationDate":"2022-01-20T08:52:12.354Z","version":4,"applic9...":{"architectur....x86-64","buildI...2021081614365..0nam+.xFirefox_..."91.0.1","displayVy......vendor":"Mozilla","platform....xpcomAbi..._64-msvc....hannel":"release"},"payload.. os.....YWINNT..@10.02.@reas...."immediate","sendFail....{"eTerminated":1}},"client....56585a2f-ae77-4cbd-b8c0-29e7791afbf6"}

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\archived\2022-01\1642668732387.2edead36-70e7-48e3-901a-6d958f91bcc1.event.jsonlz4

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:Mozilla lz4 compressed data, originally 7260 bytes
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):3823
                                                                                                                                                                                                    Entropy (8bit):6.6131107536757465
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:96:kK+8E6ysqlqlhqx9dSug9uJw9BqVYY4dijP8xsF+pgp4I:tys5hqxK9u4HYurNa
                                                                                                                                                                                                    MD5:B07417BA0F1C2ECF354786520D33A673
                                                                                                                                                                                                    SHA1:87928D1E8B98619582343AE3C0243A515D42AB88
                                                                                                                                                                                                    SHA-256:D7B20094C4B973ED26909D0698393962C82D3887EA7468D0902130CF5C707104
                                                                                                                                                                                                    SHA-512:2C6B8C4184BD5E35E2DBA57E9BF6F2F14CECFA8CF96BB48D328B9472A480AC656AE94517C22F486CAC72E1F7973011F9C681F9DF24965199F4AB959A23F7886B
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:mozLz40.\....9{"type":"event","id":"2edead36-70e7-48e3-901a-6d958f91bcc1","creationDatC...2022-01-20T08:52:12.387Z","version":4,"applic9...":{"architecturE...x86-64","buildI...021081614365..0nam+.xFirefox_.`"91.0....displayVy......vendor":"Mozilla","platform....xpcomAbi..._64-msvc....hannel":"release"},"payload..@reas..."shutdownh...rocessStartTimestamp":1642668720000,"ses-......3ce01ae6-d8fd-4f1d-9d7b-230ce574cfb5","sub6...f301b83c-25de-49dd-b4da-5405ab9c606b","lostE...sCount":0,...s..0par...:[[1657,"dohj..t...&,"rollback","null"],[1844,"upgrade_dialog","trigger",...,"not-major7.L3329^..4..^..'......O3610N...'...N.._14235O...]}},"client... 56585a2f-ae77-4cbd-b8c0-29e7791afbf6","environmf..{......!..O...{ec8030f7-c20a-464f-9b0e-13a3a9e97384}"Z..N#..g. ....<...i...V.!..updaterAvailable":trueZ.Prtner ..distribu{..!.."..............<..,......$..U.4orC......>..R..s":[]},"system....memoryMB":15901,"virtualMax...34217728,"cpu1..cj..16,"cores":8j......GenuineIntel","family":6,"modm...158,"ste

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\archived\2022-01\1642668732395.b2cdd6c0-23fa-4542-90a3-858d8b88556d.health.jsonlz4

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:Mozilla lz4 compressed data, originally 488 bytes
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):441
                                                                                                                                                                                                    Entropy (8bit):5.666630340055098
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:12:vukFgcGDkUsAIissMVHkTHBP08euzv/50tWBkDw8v4:vu7D7ssGkTZ08eo/5/SMN
                                                                                                                                                                                                    MD5:62FEA8AB5D4A48C2D02F8125B06E8832
                                                                                                                                                                                                    SHA1:EF5EE47D449297F528FEF9CF69A2240011714928
                                                                                                                                                                                                    SHA-256:300A20FA277B59E805D358C66E8E036375D825815E968D91DB7545942EC71E3D
                                                                                                                                                                                                    SHA-512:5165D2195516694548F2B1E046597B1FD907144ED74C3EEF47722ABCB67B7A660B4E2693AA4926BADD1908B1DB5141D5B4B52B2F24930257B09B6500838BC778
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:mozLz40......k{"type":"health","id":"b2cdd6c0-23fa-4542-90a3-858d8b88556d","creationDate":"2022-01-20T08:52:12.395Z","version":4,"applic9...":{"architectur....x86-64","buildI...2021081614365..0nam+.xFirefox_..."91.0.1","displayVy......vendor":"Mozilla","platform....xpcomAbi..._64-msvc....hannel":"release"},"payload.. os.....YWINNT..@10.02.@reas...."shutdown","sendFail....{"eTerminated":2}},"client....56585a2f-ae77-4cbd-b8...9e7791afbf6"}

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\archived\2022-01\1642668732404.46400eb1-af73-4878-b5d1-1e1a932c2524.main.jsonlz4

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:Mozilla lz4 compressed data, originally 48245 bytes
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):16205
                                                                                                                                                                                                    Entropy (8bit):6.900807311536035
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:384:H+lbZ9VGVCKnNfcMFdvM9DOgiQxS59Yjm5sjdX+pPrg:mbzVGldd09DOfqS59YK5s8p0
                                                                                                                                                                                                    MD5:A5D2CEA0156D1DB59F3D0912844E9DE2
                                                                                                                                                                                                    SHA1:B0EE6CFAA29969551E473D4CA906B816B68F0ECF
                                                                                                                                                                                                    SHA-256:5306007C310BB1DC3A526C684AD21F300D9A20DA59A0F2EF27BA16A94BD586DE
                                                                                                                                                                                                    SHA-512:F0520C994265C048725260DBC3C52EE9AF671C7C0FD668A34777929DDCD70C66AE612F5536171271C79EEC2E6E7B55E7C359C63B486A649D9B22429F43266558
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:mozLz40.u....i{"type":"main","id":"46400eb1-af73-4878-b5d1-1e1a932c2524","creationDate":"2022-01-20T08:52:12.404Z","version":4,"applic9...":{"architectur..Px86-6].`buildI...2021081614365..0nam+.xFirefox_..."91.0.1","displayVy......vendor":"Mozilla","platform....xpcomAbi..._64-msvc....hannel":"release"},"payload..1ver....simpleMeasurements..ptotalTi...14,"start":16,....:131,"selectProfil)..5,"after...Locked":15-..C..upCrashDeQ..ionBegin":367d..!. En@...4202,"firstPain..8219..p2":1235....ssionRestoreInit":47......V.3688$...eTopLevelWindow":482,"quitA...14205,"p...BeforeChang...236,"AMI_-.Cup_b..m99,"XP..2411....bootstrap_addons9.?413!...e..+42X..............finalUIS......64..Pializ...487,"delayed5.......L1523..bFinish...79..upInterrupt...05..buggerAttac/..0.......VisibleReadBytes":62628......'.TWrite(.0476...'..S...O.e556978w..)..Q.P16790...ctiveTicks":3N.`rocess..`{"pare...{"scalarG...blocklist.mlbf_source...mote_match",'..!tash_time_oldest":"Thu, 06 Jan 2022 12:35:08 GMTC..rowser.engag

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\archived\2022-01\1642668830525.78fa850f-44f7-479b-b769-53266eaad482.event.jsonlz4

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):3709
                                                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3::
                                                                                                                                                                                                    MD5:AABFDCC3541633B46362091193C6573B
                                                                                                                                                                                                    SHA1:FA7BA98FDCC6529F0875839BB58456E6353B45D0
                                                                                                                                                                                                    SHA-256:5B05DEC39F7F584F64C9E2860B83C19150A85CDA5B9BCBD9AA599481962D9497
                                                                                                                                                                                                    SHA-512:DB12BC780608DDE0408274452904F3CBF65970D42085925E5D6B9CB9C14D67C5509334D89DC1850E77D23671594B869369B17133603C66877C3B1B03CEB436B4
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\glean\db\data.safe.bin

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:Matlab v4 mat-file (little endian) r, rows 0, columns 1025
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):2110
                                                                                                                                                                                                    Entropy (8bit):4.2519959116998685
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:48:OyokdRoJ1uoLoTogko6HSOF9QdbbezaWJw:BNRjmKvkPSOF9QVbezaAw
                                                                                                                                                                                                    MD5:7409FE3813AD9105F7C923BD1ABC7653
                                                                                                                                                                                                    SHA1:DC4E96FA349183A048D0C9548E5F593062B8429D
                                                                                                                                                                                                    SHA-256:988A2A5813D6288A129F37F4D871A2735093876B4A3516B6602AB04BF2115944
                                                                                                                                                                                                    SHA-512:462B560A84F3910856AA0435FDE8C189E9B60BD65EC4F9FE9EE22760483333DE8058F8442F591CEF25B3B4A0F5EE5D2722EE56856735DD1FC453995EF1846E75
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:.................user............(.......baseline#glean.validation.first_run_hour<........3...........#.......2024-11-18T15:02:32.141829800-05:00............glean_client_info#client_id9........0...........$.......425a3d15-b68b-4ba2-9f76-6a7f8a5a2936 .......glean_client_info#first_run_date<........3...........#.......2024-11-18T15:02:32.134362600-05:00....%.......glean_internal_info#baseline#sequence.........................".......glean_internal_info#baseline#start<........3...........#.......2024-11-18T15:02:32.309391300-05:00............glean_internal_info#dirtybit......................$.......glean_internal_info#metrics#sequence.........................!.......glean_internal_info#metrics#start<........3...........#.......2024-11-18T15:02:32.246609700-05:00....&.......glean_internal_info#mps.last_sent_time<........3...........#.......2024-11-18T15:02:32.235773700-05:00....'.......metrics#glean.validation.first_run_hour<........3...........#.......2024-11-18T15:02:32.141829800-05:00..

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\session-state.json.tmp

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):161
                                                                                                                                                                                                    Entropy (8bit):4.863812475466025
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:YWAqKs4VXg/zlpBiDpS9JHBMfdQ9NV6hFTGlsJVxJA2aqnLTHrza/H5C:YWAqfYQ/7Bic6fDhoGOanLv+/ZC
                                                                                                                                                                                                    MD5:D9F34EC0A82A2CF55D5723A27FFF600B
                                                                                                                                                                                                    SHA1:5227261F98B82C924C8EF71C8FB022F3837443B5
                                                                                                                                                                                                    SHA-256:96224D2274AA3169A73FB137AD37A6A8DBFD60DCCB6067ADCA23F92E73F40510
                                                                                                                                                                                                    SHA-512:5D6E0804F7FE8E760A16410BC4F1F2F80364A19EB7A00EF1844F3E60AC5F9C218A5D6218696F094E69E3D963B43205AC53930BF96B342A8FFA51107436741FB3
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:{"sessionId":"e02bedde-e940-4a7e-bcd2-f66f60177031","subsessionId":"225e5b32-baa7-475c-9033-eb6cd6449482","profileSubsessionCounter":1,"newProfilePingSent":true}

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\datareporting\state.json

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):51
                                                                                                                                                                                                    Entropy (8bit):4.48557583191305
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:YGJBQv9QFnekVIXJEbDT4:YG8aFnecB4
                                                                                                                                                                                                    MD5:6A0EA22FEC305A7B0BC5D778F6438270
                                                                                                                                                                                                    SHA1:7D20B483EF61B648438550D175B40306DA624CA2
                                                                                                                                                                                                    SHA-256:43B55C64F42DC15B2D7B987C74D4390E9EFF1A4749BF6E001B44FCF4B73BBC5C
                                                                                                                                                                                                    SHA-512:444D3F0582974F7BDCD5063731FD0E32F499C27D5BBDC05A4C4815890E9F0F31926A46770C0A60D66720CE91CF23550A3AAEFEDC3190258D5570FDC42D4E31B2
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:{"clientID":"56585a2f-ae77-4cbd-b8c0-29e7791afbf6"}

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\extension-preferences.json

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):1443
                                                                                                                                                                                                    Entropy (8bit):4.610509223224478
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:24:YGDov8FIFDov8FPVDov8FPFDov8FdlgDov8FVfKFNkmKFkmKFdh9cmKFJmKFfmK/:YXmxL8nkqFg
                                                                                                                                                                                                    MD5:D08CF0A9CD23B6E0BC8254BBADD38953
                                                                                                                                                                                                    SHA1:A4FE92B85B36B085AA358CF1811B2BC671BEA0FD
                                                                                                                                                                                                    SHA-256:A3B59AE25B83BB8BFCF4D3B3DCDA4FCB16CFE8306541721F71D9C82D1619086F
                                                                                                                                                                                                    SHA-512:EA4029D277C83248EE2D9463CEC1F11305715D122B1DCADCDA0C635BC56C4313F0A038F6ECB3145306832432916D1BEC33B0D911695D501A63FE8A54D283F651
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:{"doh-rollout@mozilla.org":{"permissions":["internal:privateBrowsingAllowed","internal:svgContextPropertiesAllowed"],"origins":[]},"formautofill@mozilla.org":{"permissions":["internal:privateBrowsingAllowed","internal:svgContextPropertiesAllowed"],"origins":[]},"pictureinpicture@mozilla.org":{"permissions":["internal:privateBrowsingAllowed","internal:svgContextPropertiesAllowed"],"origins":[]},"screenshots@mozilla.org":{"permissions":["internal:privateBrowsingAllowed","internal:svgContextPropertiesAllowed"],"origins":[]},"webcompat@mozilla.org":{"permissions":["internal:privateBrowsingAllowed","internal:svgContextPropertiesAllowed"],"origins":[]},"default-theme@mozilla.org":{"permissions":["internal:svgContextPropertiesAllowed"],"origins":[]},"google@search.mozilla.org":{"permissions":["internal:svgContextPropertiesAllowed"],"origins":[]},"chambers-en-GB@search.mozilla.org":{"permissions":["internal:svgContextPropertiesAllowed"],"origins":[]},"wikipedia@search.mozilla.org":{"permission

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\extensions.json

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):42229
                                                                                                                                                                                                    Entropy (8bit):5.142426224871535
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:768:IOZI40xf5X+4DWF4F4V4ev4j4M4+h5hvM4+4K454e4y:Pyhfvn
                                                                                                                                                                                                    MD5:290FFB03D24D35978C16D17A7200877B
                                                                                                                                                                                                    SHA1:122CD07919DDB7C8EC7D0B2A9BFA74164D7D73C2
                                                                                                                                                                                                    SHA-256:C3B8AD7440FCAB4DB9C1695D80E174276BC9CF5F8957F84236670E068B0D0DF3
                                                                                                                                                                                                    SHA-512:4C92D15BE855973CFEEE0B35266946E096FCE953D949A79587FC8E4E968AED4F38535249775786D487A94F49076F333A583DFC31F5EC290147B2968615BA5562
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:{"schemaVersion":33,"addons":[{"id":"doh-rollout@mozilla.org","syncGUID":"{49f244b0-1dfb-43a5-b381-1c990e67fded}","version":"2.0.0","type":"extension","loader":null,"updateURL":null,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"DoH Roll-Out","description":"This used to be a Mozilla add-on that supported the roll-out of DoH, but now only exists as a stub to enable migrations.","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1629138613000,"updateDate":1629138613000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\doh-rollout@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":"72.0a1","maxVe

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\favicons.sqlite

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3036000, page size 32768, writer version 2, read version 2, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):5242880
                                                                                                                                                                                                    Entropy (8bit):0.05607502600030826
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:384:cRxClqsKbKsqDl4ZfLu2+PFTUJLu2+PFTUyLu2+PFTUL:c3ClHQz04fZzJZzyZz
                                                                                                                                                                                                    MD5:D27CC46542F0870189C59C9A1AE6BCCC
                                                                                                                                                                                                    SHA1:5B804B50C5B9D108C49B587BCB37F905CB70EAF3
                                                                                                                                                                                                    SHA-256:B22C820684ED8FB956D726877EAA005F12DC705CB899AA917DB6DD0E7B6266A0
                                                                                                                                                                                                    SHA-512:670BE7F450E3E625BCD88883EFF1F9464BE863A5C6889BE2250781ED2B309521A9F4B2E5830E4AE1463ED6FEFBC2FDF79796A2EB120998CFF4EBF12D2DF88A5C
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................S`.....{..~.~p}.}>{.{.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\gmp-gmpopenh264\1.8.1.1\gmpopenh264.info

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:ASCII text
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):116
                                                                                                                                                                                                    Entropy (8bit):4.968220104601006
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
                                                                                                                                                                                                    MD5:3D33CDC0B3D281E67DD52E14435DD04F
                                                                                                                                                                                                    SHA1:4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
                                                                                                                                                                                                    SHA-256:F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
                                                                                                                                                                                                    SHA-512:A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\gmp-widevinecdm\4.10.2209.1\LICENSE.txt

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:ASCII text
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):479
                                                                                                                                                                                                    Entropy (8bit):4.381877948550338
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:6:Ci1FD+DmsDZrkrDxBYRgELGNB+cIMLohXOl0t1iKR/UFioWd9+iAt4jZMeLhJoUe:CiCDtVEDsCDLeelyigqBjt4eK2fylL6
                                                                                                                                                                                                    MD5:49DDB419D96DCEB9069018535FB2E2FC
                                                                                                                                                                                                    SHA1:62AA6FEA895A8B68D468A015F6E6AB400D7A7CA6
                                                                                                                                                                                                    SHA-256:2AF127B4E00F7303DE8271996C0C681063E4DC7ABDC7B2A8C3FE5932B9352539
                                                                                                                                                                                                    SHA-512:48386217DABF7556E381AB3F5924B123A0A525969FF98F91EFB03B65477C94E48A15D9ABCEC116B54616D36AD52B6F1D7B8B84C49C204E1B9B43F26F2AF92DA2
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:"Google Inc. and its affiliates ("Google") own all legal right, title and.interest in and to the content decryption module software ("Software") and.related documentation, including any intellectual property rights in the.Software. You may not use, modify, sell, or otherwise distribute the Software.without a separate license agreement with Google. The Software is not open.source software...If you are interested in licensing the Software, please contact.widevine@google.com..

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\gmp-widevinecdm\4.10.2209.1\manifest.json

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):372
                                                                                                                                                                                                    Entropy (8bit):4.588307090992685
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:6:XWYe/pY2Fgw56Vl0/ypHy6FHdaS1ijF0x1aQTcHPR4eMu45W8FciHBY:XcK2CwCl3pHnz1iBQafRxRqcku
                                                                                                                                                                                                    MD5:292A1B5EF17CE0AF51310108946E8E8A
                                                                                                                                                                                                    SHA1:A680A3FE60C4E779B2DD0688B33294B40B6B5699
                                                                                                                                                                                                    SHA-256:D63E2D7256D2DB31422126D0B43552C25EC27C5E03F774EEF1CBC4486DA9A2B2
                                                                                                                                                                                                    SHA-512:519FD4DB3B803DABFFD6DDE7A8B50F95D23A750E5114754C8F7D890DB51B3E2EB48F47423E0CE3725C1C10AF9E7D04C26958041C1B647FF07BB4DD066828B6C7
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:{. "arch": "x64",. "description": "Widevine Content Decryption Module",. "manifest_version": 2,. "name": "WidevineCdm",. "os": "win",. "version": "4.10.2209.1",. "x-cdm-codecs": "vp8,vp09,avc1,av01",. "x-cdm-host-versions": "10",. "x-cdm-interface-versions": "10",. "x-cdm-module-versions": "4",. "x-cdm-persistent-license-support": true.}

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\gmp-widevinecdm\4.10.2209.1\widevinecdm.dll.lib

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:current ar archive
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):2018
                                                                                                                                                                                                    Entropy (8bit):4.505766962480664
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:24:GKOZqJA4lX7yYyjriPXibZVOZgOZCxPqyRPJxBeXQ1MgFeyI/Iin:D50jWXYZVOWx3JCki
                                                                                                                                                                                                    MD5:688BED3676D2104E7F17AE1CD2C59404
                                                                                                                                                                                                    SHA1:952B2CDF783AC72FCB98338723E9AFD38D47AD8E
                                                                                                                                                                                                    SHA-256:33899A3EBC22CB8ED8DE7BD48C1C29486C0279B06D7EF98241C92AEF4E3B9237
                                                                                                                                                                                                    SHA-512:7A0E3791F75C229AF79DD302F7D0594279F664886FEA228CFE78E24EF185AE63ABA809AA1036FEB3130066DEADC8E78909C277F0A7ED1E3485DF3CF2CD329776
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:!<arch>./ 0 0 0 0 406 `................P...4...4...................................r...r__IMPORT_DESCRIPTOR_widevinecdm.__NULL_IMPORT_DESCRIPTOR..widevinecdm_NULL_THUNK_DATA.__imp_CreateCdmInstance.CreateCdmInstance.__imp_DeinitializeCdmModule.DeinitializeCdmModule.__imp_GetCdmVersion.GetCdmVersion.__imp_GetHandleVerifier.GetHandleVerifier.__imp_InitializeCdmModule_4.InitializeCdmModule_4.__imp_VerifyCdmHost_0.VerifyCdmHost_0.widevinecdm.dll/0 0 0 644 382 `.d....................idata$2............d...x...........@.0..idata$6............................@. ...................................................widevinecdm.dll....................idata$2........h..idata$6...........idata$4........h..idata$5........h.....$.................=.............Z...__IMPORT_DESCRIPTOR_widevinecdm.__NULL_IMPORT_DESCRIPTOR..widevinecdm_NULL_THUNK_DATA.widevinecdm.dll/0 0 0 644 127 `.d.......P............ida

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\gmp-widevinecdm\4.10.2209.1\widevinecdm.dll.sig

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):1427
                                                                                                                                                                                                    Entropy (8bit):7.560665040208843
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:24:38H/VZn47VBRxgCUQuODHBJeriJ8yojUdnkLvXWgl0oHLrUXAo0OfGYj3:38HdurRxHSOlAiqYoXWVDXTftj3
                                                                                                                                                                                                    MD5:D20EEB79B7F1D3E660DC2C4FCA295626
                                                                                                                                                                                                    SHA1:B55BB823DAC572930E52CF2998824A9E059FF58A
                                                                                                                                                                                                    SHA-256:815F46CC2C29BA0D3E509A925BFA0928990CF3AE59E421716DFC6C538C303C7D
                                                                                                                                                                                                    SHA-512:EDDA89ADE17AF764335F1C9A1BDD1C0BEAEBA9AE3C1BD96D4C30A5F1C2F4600F7833BDCD0C38EE0635A756B3BD498EB1C69C04F5E477860D075FE91C4D6F85D8
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:....0...0...........6cd/+J.v{..B...0...*.H........0}1.0...U....US1.0...U....Washington1.0...U....Kirkland1.0...U....Google1.0...U....Widevine1"0 ..U....widevine-codesign-root-ca0...171013173909Z..271011173909Z0y1.0...U....US1.0...U....Washington1.0...U....Kirkland1.0...U....Google1.0...U....Widevine1.0...U....widevine-vmp-codesign0.."0...*.H.............0.........2F..8.e..-....$r...{^........0.%.HA...sA"D.q.=6...#.J.N.......&..k;.+...<xF.......B8.)S....o..|Ci.F.A6....J.......Y..4..{.5u.9N...=...#.M..s.F!j.f%&ld.R...?!Ot@......#.f..O..[.V.p0y....+...S.].....M.=.9...>.. ........>.:....1tl.....`D/c..j..........0..0...U......L...cC.E..R.n...$.0...U.#..0....=..tW....!.B.#U).0...U....0.0...U........0...U.%..0...+.......0...+.....y........0...*.H.............g.."..[..t{.4~.,.G....4K.....(x$...} .*...N..b|d......h..u6?.L.(&.Oup...$!...4R. 5.-...s...K/..U[..[.+.sAX*.~...^0..ba>;.#....x...b.-1...E..l....S.n.a....)U .q..C>d:...<[..F5...7...[.-.l}.T Lc.X..Qf...z..:.Q..e.m

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\handlers.json

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):688
                                                                                                                                                                                                    Entropy (8bit):4.833979116241802
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:12:Y48lL4GzVrjKH1rTH3u+BPnyu+BPnBu+BGRyj0yUSFzFRuM/n:YrlL4GzNj2TtBPnoBPn/BGCVU6AM/n
                                                                                                                                                                                                    MD5:CCD9739A33364C1DB767B3D618792421
                                                                                                                                                                                                    SHA1:36C6F77F39B5110444DDEDB9DF396CDD64E3D6C3
                                                                                                                                                                                                    SHA-256:2768A13D73D5A275ECFC57264BB916EDAE81309E051A540B1D5477B13A7F90F6
                                                                                                                                                                                                    SHA-512:5CC1FECD9AC615F43996E0263424FC4EDFC5C701D97BE20DBE22437BFE09917A1D8A17DC4AAFFB81DE64382BF9C1AD7F0694C2F6EC81E2A20D5CA6CFFE754AD9
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:{"defaultHandlersVersion":{"en-GB":4},"mimeTypes":{"application/pdf":{"action":3,"extensions":["pdf"]},"text/xml":{"action":3,"extensions":["xml"]},"image/svg+xml":{"action":3,"extensions":["svg"]},"image/webp":{"action":3,"extensions":["webp"]}},"schemes":{"irc":{"stubEntry":true,"handlers":[null,{"name":"Mibbit","uriTemplate":"https://www.mibbit.com/?url=%s"}]},"ircs":{"stubEntry":true,"handlers":[null,{"name":"Mibbit","uriTemplate":"https://www.mibbit.com/?url=%s"}]},"mailto":{"stubEntry":true,"handlers":[null,{"name":"Yahoo! Mail","uriTemplate":"https://compose.mail.yahoo.com/?To=%s"},{"name":"Googlemail","uriTemplate":"https://mail.google.com/mail/?extsrc=mailto&url=%s"}]}}}

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\key4.db

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3036000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):294912
                                                                                                                                                                                                    Entropy (8bit):0.08434615749937499
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:192:2va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vPY:21zkVmvQhyn+Zoz67R
                                                                                                                                                                                                    MD5:93BAA1B7500F3ADB16BE27FCB2E256A8
                                                                                                                                                                                                    SHA1:77CB640557F5F7950B083405B4AEE0573D11D98F
                                                                                                                                                                                                    SHA-256:7C24FE957EFB0DDF026ECDD88027BE5B40863342CF2CF2A5A7FF72062F75B1E9
                                                                                                                                                                                                    SHA-512:C53D09227E5069924E49823CD6E93775B98439D57D279BEEFFE14EA057BF9D9882CE1BC297C0181D0309E027E7993F079D6BF4933A929D2C942903D28DB155AB
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................S`.....z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\permissions.sqlite

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:SQLite 3.x database, user version 11, last written using SQLite version 3036000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):98304
                                                                                                                                                                                                    Entropy (8bit):0.07268444684478458
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:12:DBl/A7tcla0mwPxRymgObsCVR45wcYR4fmnsCVR4bpV:DL8tDsh7Owd4+y
                                                                                                                                                                                                    MD5:41B7A474CE7C3C76763266879B521F78
                                                                                                                                                                                                    SHA1:114E01B2E98FDB861E02F7463615E606C1CA48F4
                                                                                                                                                                                                    SHA-256:664286298F89F4DC273C97C1BCAA3A1FE77F5A7336867624ECD8D85CD650F803
                                                                                                                                                                                                    SHA-512:9CAB93D5518C5FA87B17AAE61735C31D9DACF38D86F7B03E3CA7844D61D7B21FD8048F9E5290CD4A1FE26371A8F9D1542A1AA08028F37AC1DBCE4CBFAD9E5169
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................S`.....~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\pkcs11.txt

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):506
                                                                                                                                                                                                    Entropy (8bit):5.416307987963225
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:12:T4Lwvf11udhsETLDcGuyXkvsUvE+LK5H4ll:T4Lwvf126E4HVG2D
                                                                                                                                                                                                    MD5:816B9A8363605CE593CC36A5467F8003
                                                                                                                                                                                                    SHA1:5593A0C1244FC37AC4DAFF6BFD02E7C4373C3121
                                                                                                                                                                                                    SHA-256:A231895E5BCCB3C3AA821D2DF3ABC26CC5E636665F56DD595EBC2D1EE043810B
                                                                                                                                                                                                    SHA-512:50303B8EACFA77AF81C90D389185E3E6FF216EC89E5C3A61261356C46B01B9A91E60EC79EA687EE8BDDFB618E5A3D7AAA2E689413AA80EC8B7995D0CCAF5AAF7
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:library=..name=NSS Internal PKCS #11 Module..parameters=configdir='sql:C:\\Users\\user\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\OL7UIQ~1.DEF' certPrefix='' keyPrefix='' secmod='secmod.db' flags=optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' ..NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})....

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\places.sqlite

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:SQLite 3.x database, user version 57, last written using SQLite version 3036000, page size 32768, writer version 2, read version 2, file counter 2, database pages 41, cookie 0x21, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):5242880
                                                                                                                                                                                                    Entropy (8bit):0.035631294721445904
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:192:bZjnkYjcoBMcygNDI7oslTYBIQg6Ism2Vspvp0:bZTVTBMcygNDuT1l62p
                                                                                                                                                                                                    MD5:59E4A8110FA2BCC012E341B93E96E93D
                                                                                                                                                                                                    SHA1:EE08810B0CE857F01170C08A24B9D438B64D577D
                                                                                                                                                                                                    SHA-256:3A85F2FC349A7E431EA6F1FC4568C99C1918D478AD6FE6445D560EF00395DB40
                                                                                                                                                                                                    SHA-512:2AD00B0FCBE4FC37ECAA68C16BE32A904D682A23ACF5B39BCECF5DC280E23933FDD5A0D2A92A45F2C77618CA7466334AFEB1EAA7EA07BF4E043282B31039E8FF
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:SQLite format 3......@ .......)...........!...................9..................................S`....(e......}$|.|N{.{sz.z{z.yAx.x!w.v.wZu7tNt.s.s\r.rJq.p.q.p.o.o.o.m.mal&k.k.g.g3f.f.e.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\prefs.js

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:ASCII text, with very long lines (1046), with CRLF line terminators
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):11923
                                                                                                                                                                                                    Entropy (8bit):5.2717384530749305
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:192:58IXrFgMqaxu7aWUBp9PXaUhK+74NMre6w/hUiCw8TPD:geuajQthyre6wZCwGD
                                                                                                                                                                                                    MD5:59AF94B2C60EC3837D8D67F15C1C4716
                                                                                                                                                                                                    SHA1:204BADE84E385B4A87F5788B822AD60E743D891D
                                                                                                                                                                                                    SHA-256:4306770AFEFFF70ABB01C6E4CEA53C280917FF1458CF679C6745028BC7D36980
                                                                                                                                                                                                    SHA-512:3D9CEF70CE911AB4C053294BECE18F503D380A6FE4762764074988356CD6E2413268ED7F34C2225F1E78E917454318977CE6C88B6D2E0BF978367A426D358881
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.installation.timestamp", "132737585657068823");..user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "29abcd1e-1a70-48c8-93bf-45f85e2f4118");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.previous.reasons", "[\"app.update.background.enabled=false\"]");..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 0);..user_pref("app.update.lastUpdateTime.background-update-timer", 0);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1629285077);..user_pref("app.update.l

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\protections.sqlite

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:SQLite 3.x database, user version 1, last written using SQLite version 3036000, page size 32768, file counter 2, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):65536
                                                                                                                                                                                                    Entropy (8bit):0.04057874212351146
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:lSGBl/l/l//lAltllPltlJL/lRollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wr:ltBl/lYN1Vf4BEJYqWvLue3FMOrMZ0l
                                                                                                                                                                                                    MD5:2048E8689FE480814EC9DD0E47EF56F2
                                                                                                                                                                                                    SHA1:B5F38ABE01FC512BB692034B3348B553D4DC3BD6
                                                                                                                                                                                                    SHA-256:4775FFFDBAD4D517337D5E3C27BB9CE8F795B91138911D33A69337DB12B8D657
                                                                                                                                                                                                    SHA-512:E0891F6ACE5F7F1C3F9F9242C98A61042C15BFC3C3610CFDBF20D72C01B7A101AA24ACFDE75097D157DAD87B70DA17770FD3E75C786FFAB6D9372596C5DBAB93
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................S`......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\78fa850f-44f7-479b-b769-53266eaad482

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:PNG image data, 620 x 620, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):6957
                                                                                                                                                                                                    Entropy (8bit):5.40002104380395
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:96:ywM2ucn6SvaWDelrAfQ4SLx7o8PpEJn9I:xMcSWw77
                                                                                                                                                                                                    MD5:D8A188E1D2135DA2FEE098BDAF027BF2
                                                                                                                                                                                                    SHA1:1BE5C9F478B33251401796C6FB241D9148600F3C
                                                                                                                                                                                                    SHA-256:B696774A7C72EE7F5DE8823C0CBE452113F000AAB23AE8F0461617CA7D5D4B50
                                                                                                                                                                                                    SHA-512:9F6A443F0D15C3D77337E5FD28CA7EF6849A71C246FE4C8D6B4E8F860A319FA8CFCCF3D7676F777849F8BBD81422B74ADDEBA277BD9A11A82FA1576502D6FE23
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:.PNG........IHDR...l...l.....@..%...sIDATx...K.$e...{.ew...5FC....c...%$b4.p.....^<.x0D......D1.......YE|.4&............tW.V............J?fv..k...W.N.,......*...l...6......`..@....6......`..@... .............. ....l..........`...l...6......`..@....6.........@... .............. ....l..........`...l...6......`..@....6.........@... .............. ....l...6......`...l...6......`..@....6.........@... ....l......... ....l...6......`...l...6......`..@... ..........@... ....l......... ........`...l...6......`..@....6.........@... ....l......... ....l...6......`...l...6......`..@... ..........@... ....l......... ....l...6......`..@....6......`..@... ..........@... ....l..........`...l...6......`..@....6......`..@... .............. ....l..........`...l...6......`..@....6.........@... .............. ....l....*...l...6......`..@....6......`..@... ............FV.P'..../......b.. ..u.`......l..E......o.`..&.vY..7.l@?B-ixN../....p...t/.....1...ck!....*...7.l@wc-...d...g.....,...E..6..V...u>.

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\c22087e1-0808-4efc-ba80-c9ad00977005

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):83050
                                                                                                                                                                                                    Entropy (8bit):5.231649473897628
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:768:OGPyzvRdAwBdGbJqb/yHPd6NqcKJ97mRvAmvkNloU0dF4ezrw:sJe0oiqHkNK97mRvwNloU0dF4eY
                                                                                                                                                                                                    MD5:06617DE2034202E934FBD14967C6DC2E
                                                                                                                                                                                                    SHA1:0BA12A61BB462A40833F09275641BB2C2EF697E3
                                                                                                                                                                                                    SHA-256:6364E0B40805DB2B6BC6717EEC4BEB0B83B4F0951BDAC2A4F3C8E618830A1100
                                                                                                                                                                                                    SHA-512:C96F4C19B627300011DD766390343353F48EEF43A56979552F5C3EFE47862A33784314255D80E4A1AF68ECEDBB591C927F5BF4879C5FC7DAFCED9CBF4E43C077
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:{"type":"main","id":"c22087e1-0808-4efc-ba80-c9ad00977005","creationDate":"2021-08-18T11:10:14.178Z","version":4,"application":{"architecture":"x86-64","buildId":"20210816143654","name":"Firefox","version":"91.0.1","displayVersion":"91.0.1","vendor":"Mozilla","platformVersion":"91.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"ver":4,"simpleMeasurements":{"totalTime":12,"start":9,"main":98,"selectProfile":101,"afterProfileLocked":103,"startupCrashDetectionBegin":133,"startupCrashDetectionEnd":12091,"firstPaint":1922,"firstPaint2":1000,"sessionRestoreInit":325,"sessionRestored":2390,"createTopLevelWindow":260,"quitApplication":12093,"profileBeforeChange":12157,"AMI_startup_begin":157,"XPI_startup_begin":167,"XPI_bootstrap_addons_begin":259,"XPI_bootstrap_addons_end":261,"XPI_startup_end":261,"AMI_startup_end":262,"XPI_finalUIStartup":332,"sessionRestoreInitialized":339,"delayedStartupStarted":2351,"delayedStartupFinished":2383,"startupInterrupted":0,"debuggerAttached":0,

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\d5086e2e-a2f2-4367-adfe-925ac1cc9e8b

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):489
                                                                                                                                                                                                    Entropy (8bit):4.947288892874733
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:12:YZFg6H0IisJHIVHlWnH4lZpaVphAQp0YzvZcyBkPB4:Y8sVSlAYlZpaVphAQp0WZcy+W
                                                                                                                                                                                                    MD5:B6C3A72EDF04D15234C8E1A620E25DF0
                                                                                                                                                                                                    SHA1:D4B77F6ABBB9FA84241A9CE01B967FC507EA4969
                                                                                                                                                                                                    SHA-256:4DA3E22B9314A850FB6FC76FA6EE78112C7CC3708A6B8153A6C94E1EE996807B
                                                                                                                                                                                                    SHA-512:AE9373FB9829EC3C2720F90C98E104B00F3DF9B955EFDE048A80F4D51DFFE0999176E05B07062FB1EDF97CFDA9A2B17400CCBFAFE126C94110A51FF46DA0AA5E
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:{"type":"health","id":"d5086e2e-a2f2-4367-adfe-925ac1cc9e8b","creationDate":"2022-01-20T08:52:12.354Z","version":4,"application":{"architecture":"x86-64","buildId":"20210816143654","name":"Firefox","version":"91.0.1","displayVersion":"91.0.1","vendor":"Mozilla","platformVersion":"91.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eTerminated":1}},"clientId":"56585a2f-ae77-4cbd-b8c0-29e7791afbf6"}

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\d57cc9af-886d-48b0-8034-02511a47faa3

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):489
                                                                                                                                                                                                    Entropy (8bit):4.95378065002325
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:12:YZFgSsrpB5IVHlWnH4lZpaVphAQp0YzvZcyBkPB4:Yvsrj5SlAYlZpaVphAQp0WZcy+W
                                                                                                                                                                                                    MD5:C0FAAB2A9F42A7F3A45966436405EE9B
                                                                                                                                                                                                    SHA1:D6E3B3FD4B9FB92F152FBC72190004B96CD4D8DF
                                                                                                                                                                                                    SHA-256:F4D2DA03C8549EA8F8167A9AAEA28FC15908FFF8063C3AB04DD71814C9FCD1D8
                                                                                                                                                                                                    SHA-512:74BC525A1CAA15C359BF5642EF03D6E9ECADAA87E9CB7E53B7967DC5792ED2321A739E9D343B7822C00967CD96631D081BEE4F40D191968FB153BAC8626CD916
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:{"type":"health","id":"d57cc9af-886d-48b0-8034-02511a47faa3","creationDate":"2021-08-18T11:11:42.556Z","version":4,"application":{"architecture":"x86-64","buildId":"20210816143654","name":"Firefox","version":"91.0.1","displayVersion":"91.0.1","vendor":"Mozilla","platformVersion":"91.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eTerminated":1}},"clientId":"56585a2f-ae77-4cbd-b8c0-29e7791afbf6"}

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\d82ce3ab-74b6-4fbf-b57c-0849c4c6949b

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):489
                                                                                                                                                                                                    Entropy (8bit):4.966335139206347
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:12:YZFgy4W+tkRIVHlWnH4lZpaVphAQp0YzvZcyBkPB4:Yb4WgySlAYlZpaVphAQp0WZcy+W
                                                                                                                                                                                                    MD5:1336FED93AEDC5B89A060B2067B21D51
                                                                                                                                                                                                    SHA1:C78ED61779F4696BECD79B0E32C6C43326BC219C
                                                                                                                                                                                                    SHA-256:D2147E06F4ACC05FF980E7E3F1837A4AC7B9C13813C97498EFE918AE3604989F
                                                                                                                                                                                                    SHA-512:D5AE05CB3AE7DD668CB9B74052E7247363A216322BBD7A00D4EE3EE256C695AF003DFB9B42162EB39E1D93D4E11762C4C274B8B9D88B27A8EDDCE8D3718E583A
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:{"type":"health","id":"d82ce3ab-74b6-4fbf-b57c-0849c4c6949b","creationDate":"2021-09-22T10:34:09.170Z","version":4,"application":{"architecture":"x86-64","buildId":"20210816143654","name":"Firefox","version":"91.0.1","displayVersion":"91.0.1","vendor":"Mozilla","platformVersion":"91.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eTerminated":1}},"clientId":"56585a2f-ae77-4cbd-b8c0-29e7791afbf6"}

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\df3b2a54-bcb9-49d5-af88-41a4dbd2910c.tmp

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):489
                                                                                                                                                                                                    Entropy (8bit):4.960084796077421
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:12:YZFgiwIiUVZuIVHlWnH4lZpaVphAQp0YzvZcyBkPB4:YnuMZuSlAYlZpaVphAQp0WZcy+W
                                                                                                                                                                                                    MD5:DEAC608424362AE41CD9F01F13A54ACA
                                                                                                                                                                                                    SHA1:B2713B4E871309A3BA3D17174DA0F6983004D556
                                                                                                                                                                                                    SHA-256:47A98B6F32D54DBEA3DC9412074808A5CD2D5354746E6EB2B8A33A39824C19B4
                                                                                                                                                                                                    SHA-512:80582525DEC0AC38ADB6828D272F78898D38C9F68BB27E9F5369D4F8DA269EAE406BCB464D39974AD05814CBE7345C74DFB5633CB8E41FCA1BFE1FB3ECA477E7
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:{"type":"health","id":"df3b2a54-bcb9-49d5-af88-41a4dbd2910c","creationDate":"2022-01-20T08:53:50.501Z","version":4,"application":{"architecture":"x86-64","buildId":"20210816143654","name":"Firefox","version":"91.0.1","displayVersion":"91.0.1","vendor":"Mozilla","platformVersion":"91.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"immediate","sendFailure":{"eTerminated":1}},"clientId":"56585a2f-ae77-4cbd-b8c0-29e7791afbf6"}

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\saved-telemetry-pings\e49281ed-d354-45d9-a285-40fdfecb9a92.tmp

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):488
                                                                                                                                                                                                    Entropy (8bit):4.982089063498965
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:12:YZFgtRnIiUY1IVHlWnH4lZpaVphAQp0YzvZcDB21PB4:Yop1SlAYlZpaVphAQp0WZcD01W
                                                                                                                                                                                                    MD5:DB7AE8F53149F59B5507D0F98280A709
                                                                                                                                                                                                    SHA1:A426774554B8426C8BF77293F0531BC5629A3F14
                                                                                                                                                                                                    SHA-256:38DE224404E6D80D6DED7E1CAF41B7B028C030E9B3EB25C4865B3F79A321EDF7
                                                                                                                                                                                                    SHA-512:D8C9F0CC56FC6A666F735EDCF5406872A12374796B7063E20F1B6A3BA670443DB8F5315ABA114367ABA40CCAEAAF8240C23401EC9E6C38E16F5CF555D02DD8C0
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:{"type":"health","id":"e49281ed-d354-45d9-a285-40fdfecb9a92","creationDate":"2022-01-20T08:53:50.532Z","version":4,"application":{"architecture":"x86-64","buildId":"20210816143654","name":"Firefox","version":"91.0.1","displayVersion":"91.0.1","vendor":"Mozilla","platformVersion":"91.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"os":{"name":"WINNT","version":"10.0"},"reason":"shutdown","sendFailure":{"eTerminated":3}},"clientId":"56585a2f-ae77-4cbd-b8c0-29e7791afbf6"}

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\search.json.mozlz4

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:Mozilla lz4 compressed data, originally 470 bytes
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):202
                                                                                                                                                                                                    Entropy (8bit):5.479358403372035
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:6:vXQP2SNtSapaBlP7521TxSBBUk4Jg71JWEv2X8W6:vK2SNtjpOPWE4JY10q
                                                                                                                                                                                                    MD5:292C36EEC565FD48E57E3D56F3689C86
                                                                                                                                                                                                    SHA1:3994DB66EF888B4ED2567E7840D5C24598C894C1
                                                                                                                                                                                                    SHA-256:4AADEB54E09704404AB6DCC131F6CD9CA421E61A1793AC01593D51956A75D4DF
                                                                                                                                                                                                    SHA-512:8978CD1942069DCE7F0AA968FD698504805E98845CFD61C6765F2A1F7F3E37E3B20AC65DBE0210BD8BF221ABB90676B017201FA1C32D0573170A8F1908DF17B6
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:mozLz40......A{"version":6,"engines":[{"_name":"Google","_isAppProvided":true,"_metaData":{}},8..Chambers (UK)?...Wikipedia (en@. OBingv...Amazon.d.. @Duck../Gow..OeBay6..7],"r..."useSavedOrder":false}}

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\sessionCheckpoints.json

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):90
                                                                                                                                                                                                    Entropy (8bit):4.194538242412464
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
                                                                                                                                                                                                    MD5:C4AB2EE59CA41B6D6A6EA911F35BDC00
                                                                                                                                                                                                    SHA1:5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
                                                                                                                                                                                                    SHA-256:00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
                                                                                                                                                                                                    SHA-512:71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\sessionstore-backups\previous.jsonlz4

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:Mozilla lz4 compressed data, originally 3048 bytes
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):1228
                                                                                                                                                                                                    Entropy (8bit):6.161863608627135
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:24:vpSUGliyugHNF/X5UfpWbRwuU5sSasEtHBOEn4BpwKYiAddMvb:hpCN/Ufp0pGpo14rZ/
                                                                                                                                                                                                    MD5:DA2666B07C9AE2294593B379F2106C44
                                                                                                                                                                                                    SHA1:5268FD8AF82DA4388F9A306DBB42D6DB804B61AF
                                                                                                                                                                                                    SHA-256:0C65D38E94B02F6264587A526203A780CBF518568A5B85B324F351CC05728E62
                                                                                                                                                                                                    SHA-512:1699F1DC09598E71736B62B15C9E5D7EF84628163EA3342431ECA8798ADD1B693F30052FB26415AD249C7A957C723F262367BEBBB4F3F879D59B08BE05C759EF
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie...}url":"about:home","title":"New Tab","cacheKey":0,"ID":1,"docshellUUID":"{7017a4f2-87c1-421b-9a28-5ae42a597b44}","resultPrincipalURI":null,"p...sToInherit_base64":"eyIwIjp7IjAiOiJtb3otbnVsbHByaW5jaXBhbDp7ZmMzZTRjZmYtZmRiMy00ZDgwLTllMDctNjU1NjdkNzg0NzYzfSJ9fQ==","partitionedP..k..hasUserInteract....false,"triggering...%..z%.0fX0...?docIdentifier":4294967297,"persist":true}],"lastAccessed":1632306849075,"hidde...searchMode...userContextId%..attributf..{},"index8..requestedI....0,"image":"chrome://branding/cU..nt/icon32.png"..aselect...,"_closedT.......dth":1296,"height":975,"screenX":4...Y..Aizem..."normal"...BeforeMinimizs..#..workspace..""0..p1-01bf-...-1e41-b62a167c..C","z...1i..._shouldR.....","..*At...6...s.....W...[...........>..(.1":{..iUpdate\..98,"startTim..1266...centCrash...0},"global..Dcook^. hoe..."addons.mozilla.org","valu...Ab9073643d87b51c24ee58e86f0482867e64329dd0c0cfb2261b055c7dcf0d180","path":"/"

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\sessionstore-backups\upgrade.jsonlz4-20210816143654

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:Mozilla lz4 compressed data, originally 24421 bytes
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):4542
                                                                                                                                                                                                    Entropy (8bit):6.6957621272959775
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:96:nyvzHPSWtvF0Qrl7JoGb1OLGTzTSZ8VABssA1M:ozHPSWt9FrpJoGA6TzW8A2G
                                                                                                                                                                                                    MD5:882111CABC008240172A7F9EB8242B9A
                                                                                                                                                                                                    SHA1:B4B70D463F5500651E70B5D346DAFFDA301EF4C7
                                                                                                                                                                                                    SHA-256:983216F7E70D04817D33F35CAD106E559183DBFF4120C2B4CB7A1C52275E3524
                                                                                                                                                                                                    SHA-512:91B509394F5A16717FCD2A2DA4F4583E32D1E3D35588728C5628478F26C868F6B86CD5352A05CA324F65CBA3A9204731585C6540F6C75E72747CA37992D09E7F
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:mozLz40.e_....{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"about:newtab","title":"New T....cacheKey":0,"ID":2,"docshellUU...D"{cbd56607-0ee5-4ecb-b30e-86a75b0687e8}","resultPrincipalURI":null,"hasUserInteract....false,"triggering9..._base64":"eyIzIjp7fX0="...<Identifier":6442450946,"persist":true}],"lastAccessed":1629285014019,"hidde...searchMode...userContextId...attribut_..{},"index":1...questedI..p0,"imagh...chrome://branding/cU..nt/icon32.png"..aselect...,"_closedT...state":...wwelcome...W... to Firefox....1S......9cabed15-1ebf-4e15-834c-6207a7091a8b....p...ToInherit...w...QIjAiOiJtb3otbnVsbHByaW5jaXBhbDp7ZGRmZTM2NTQtODFjNi00NjE0LThjZWItMzIxOGE1NzBlOTZmfSJ9fQ==","partib.%edQ....c...L.5...O1218..}........B..Q,"posy..:.'At..D2481.....?1},S....https://www.mozilla.org/en-US/privacy/fV../t..i." P#.. Notice . MH......p....1f48e900-ba46-4216-bcc4-91bc2e7d73f7..corigini..............@.......loadReplacew.....2.....1.!NzZmOTI5ZmUtNWFmNC00YTY0LWE2MDktZTU4N2M4ZTYyMWU4..

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\shader-cache\16dd941957223da3

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):17452
                                                                                                                                                                                                    Entropy (8bit):5.1165468099156985
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:192:jUB1zmvSwuNpsG1C+BJBvm50i5MF7ljjzjZJ6ZvFbhuhdXF1FyEp0/U/EQvyy3vj:ctR371zjv6FFo51vyyagPEi7
                                                                                                                                                                                                    MD5:64A97C39C82F4EE3F6A8375C2CD5ED6F
                                                                                                                                                                                                    SHA1:C6AFA4C5A8D9A13CE188B9942490BA29FD84A090
                                                                                                                                                                                                    SHA-256:F8BC7DA7510987E3ACA9DC879DC7423CF8D35932D5E7F92A1D7FBEF2FCC31710
                                                                                                                                                                                                    SHA-512:59E5363D29B672CAED73E0690ABD6E55185E4F5B4E723CEBFB0233724B89725AC88A5E4D3BA67CBA88AE8C5E69C7D4754CA9EF8574D76CD1A998343CB46E0AA7
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:2.T...Z.h..s.D......31a43497be09........................................................................................................................P..............aPosition........_uaPosition........................................................................aBlurRenderTaskAddress........_uaBlurRenderTaskAddress........................................................................aBlurSourceTaskAddress........_uaBlurSourceTaskAddress........................................................................aBlurDirection........_uaBlurDirection................................................................\..............uTransform........_uuTransform....................................................................................................^...............sColor0........_usColor0....................................................................................................^...............sRenderTasks........_usRenderTasks..........................................

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\shader-cache\19dfa09daad81f19

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):7689
                                                                                                                                                                                                    Entropy (8bit):4.289145518099553
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:96:3d7O1U1BB7AcDs5bczP42KASXoKF+eC4LDKFFuMdxDwSc:BO1UrB7dDs5bcjUAeF9MdZNc
                                                                                                                                                                                                    MD5:49E06B1E804B5EAF84031437E22C05BE
                                                                                                                                                                                                    SHA1:49C78C80D753618AA55928B29DE929F6C88E15B2
                                                                                                                                                                                                    SHA-256:AB69DA59DDBD375B36559DD2DFF51EF7B513F86B05DD91688165A11D9562900A
                                                                                                                                                                                                    SHA-512:6BAEE6BB0839722A2347A47B97A4560159EF8647CFE6794DCBEABC0713AFC762106B2A6C8BA5B2EE5B093338E5A48F6293F1766B444DBBAADAD070544459A37D
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:2.T..E...h.........31a43497be09........................................................................................................................R..............aValue........_uaValue........................................................P..............aPosition........_uaPosition............................................................................................................................R..............oValue........_uoValue.................................................................................................................................................................>..I..>............................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\shader-cache\31276d1d9aec4d57

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):23689
                                                                                                                                                                                                    Entropy (8bit):5.182526875972197
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:192:iEpg8rwuNdXF1O12l+BEF0iwOuWqO+G1SOmhkF2OL8W0Fyr8lsf09MCWdzGTgXdn:iEhZOMBDF2OL8W0FyYGZXdhNa8
                                                                                                                                                                                                    MD5:C4E60FA5D43548D5B58009804297C058
                                                                                                                                                                                                    SHA1:9946D33FD3CA700D73D7546C976C45FA8C89635B
                                                                                                                                                                                                    SHA-256:01DC09DB6FC58E8FC65EB653DBBC9136CB48E61C31D9E4F6867CA3C0944652DE
                                                                                                                                                                                                    SHA-512:E96CCEA4001F1A89F9AB084BB9FA45C475E6696EE3ECCF777B54BD7F648E22060D9008B1E1629DD16764F0CCEA2D9A3B161502B5DFA6D3B4E9C2E5269A517ACC
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:2.T.9c4..../i\......31a43497be09.......................................................................................................................P..............aPosition........_uaPosition........................................................R..............aClipDeviceArea........_uaClipDeviceArea........................................................R..............aClipOrigins........_uaClipOrigins.......................................................................aDevicePixelScale........_uaDevicePixelScale........................................................S...............aTransformIds........_uaTransformIds........................................................P..............aClipLocalPos........_uaClipLocalPos........................................................R..............aClipLocalRect........_uaClipLocalRect.......................................................................aClipMode........_uaClipMode............................................

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\shader-cache\33c4fa4c5b7905f9

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):11233
                                                                                                                                                                                                    Entropy (8bit):4.880118241794849
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:192:NiSBvq7XF1aI+BEBvmFFMtbyCXF1bxyEp0nCGfDfXFFX4/zcvI6:u5RltbXRQdN4M
                                                                                                                                                                                                    MD5:3C35839899DBDF797C03AA775A4BFAF1
                                                                                                                                                                                                    SHA1:EF2F40992DB4E6F742D236F50E483B5D4E060836
                                                                                                                                                                                                    SHA-256:4F52664A4CA4B64414E10954112DAD2A713367ED70A0A2C79F6AA3F6A7F8BC7A
                                                                                                                                                                                                    SHA-512:0313B1E94359FD77E60506ADB447BBF3D4EA0EC70E4113432F33C88833A153CBADF20CDDD1D0D291F66AD4CA4FCB09F1125287599BC992DEC90A706A59155438
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:2.T...4`..{..+......31a43497be09........?.?.?...?.......................................................................................................P..............aPosition........_uaPosition........................................................R..............aLocalRect........_uaLocalRect........................................................R..............aDeviceClipRect........_uaDeviceClipRect........................................................R..............aColor........_uaColor........................................................R..............aParams........_uaParams........................................................R..............aTransform........_uaTransform........................................................R..............aUvRect0........_uaUvRect0................................................................\..............uTransform........_uuTransform..........................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\shader-cache\41b8bf16a2fb4d99

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):39154
                                                                                                                                                                                                    Entropy (8bit):5.297143969737531
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:384:jiexRcEEC+7PUpCVJ0NDXEbrxrUnt/E1GEn:ji+BECw8pSJ0NDUbd4nt/E1n
                                                                                                                                                                                                    MD5:6CB4DF15238896AE363FC6996FA1F878
                                                                                                                                                                                                    SHA1:06338C6582EF39A216DC0307D4BDBE255635DFE1
                                                                                                                                                                                                    SHA-256:0DD55EC09F466B6084E6982975AB390AC862C4C11F219E771B1B29AD07B49AD5
                                                                                                                                                                                                    SHA-512:2E8855C4F1F91D223A3F41B33BB780D2B794D532605C15AA05E76B4C79671D7FB640FB64C289E2D6639166AAC82F1DB6CBE42DD40552125452CC80A8EC9C078E
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:2.T..i;D7].........31a43497be09........................................................................................................................P..............aPosition........_uaPosition........................................................U...............aData........_uaData................................................................................uMode........_uuMode....................................................................................................\..............uTransform........_uuTransform....................................................................................................^...............sColor0........_usColor0....................................................................................................^...............sRenderTasks........_usRenderTasks....................................................................................................^...............sGpuCache........_usGpuCache................................

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\shader-cache\686ae197c66d540a

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):25868
                                                                                                                                                                                                    Entropy (8bit):5.252609443543387
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:192:F7zdWL1lEUElTAXuldurwuNhCIw6w5i/A+BQF0Nb0rqsJ5zLxJIlSf0ehN3ERBjR:JzZl3IlSf0eh+buGE74Bx
                                                                                                                                                                                                    MD5:B1515502CBD513B9211739FA99B9CF1C
                                                                                                                                                                                                    SHA1:849241C3DAAF64EF35AADFB233D17EF2F613B02D
                                                                                                                                                                                                    SHA-256:8DC460834640AAAF0D488EF14A7E0193C73A1E30213CE976909F7AA309DA07B4
                                                                                                                                                                                                    SHA-512:507DA131CE9223085B08552C11A17ED4E4409A651793D9E068C79E37CC19D338B89A739C973B2E9FC3D54313673EE7672FACF3021F47D760E7CAE3A06E86C80F
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:2.T..U..W....d......31a43497be09........................................................................................................................P..............aPosition........_uaPosition........................................................U...............aData........_uaData................................................................\..............uTransform........_uuTransform....................................................................................................^...............sRenderTasks........_usRenderTasks....................................................................................................^...............sGpuCache........_usGpuCache....................................................................................................^...............sTransformPalette........_usTransformPalette....................................................................................................^...............sPrimitiveHeadersF........_usPri

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\shader-cache\b1ec35eec26117ca

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):31276
                                                                                                                                                                                                    Entropy (8bit):5.266821727844461
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:192:5HAEJL1lEUElTAXuldumtwuNrTRX6Nai/Lx+BbxBvm50Nb0rqtKJC8bkJER5tV0j:a/XxRXER5tV0JXcVWrNVxR/38GsTXwTv
                                                                                                                                                                                                    MD5:F2BD69A830A8A1DB21F016BBDD17CBD2
                                                                                                                                                                                                    SHA1:0FB15D4F97A6882053D659A4995D61251B1A2D5F
                                                                                                                                                                                                    SHA-256:B2827DCAE93BBCB61503FA436C776CDD7B68E7EF03031B58591A28A197348E3F
                                                                                                                                                                                                    SHA-512:FC443BE2AE772AB860E52DCD2DADAC007FEE835813B7CF07BBFFF0C8F066522365225EA4B5E7454683F92841F4F16506AB199703F12A031AAC6B7C92796F6A14
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:2.T..l...XP..z......31a43497be09........................................................................................................................P..............aPosition........_uaPosition........................................................U...............aData........_uaData................................................................\..............uTransform........_uuTransform....................................................................................................^...............sColor0........_usColor0....................................................................................................^...............sRenderTasks........_usRenderTasks....................................................................................................^...............sGpuCache........_usGpuCache....................................................................................................^...............sTransformPalette........_usTransformPalette........

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\shield-preference-experiments.json

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):18
                                                                                                                                                                                                    Entropy (8bit):3.5724312513221195
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:YAP9M/e1n:YAW/4n
                                                                                                                                                                                                    MD5:285CDEFB3F582C224291F7A2530F3C4E
                                                                                                                                                                                                    SHA1:F816C3E87AA007B6E6D31EB6A4618695A7D83439
                                                                                                                                                                                                    SHA-256:704D28223A4320A853DF4A19D48C7015CF79D56A5317CC3475B6305FA43DCC05
                                                                                                                                                                                                    SHA-512:8F1DECF1E4B5755FCE8F165DAAE115F45D6890985C9C4BBB33A6F724CBFD26DB75F6DA06F9EF675DE20FE755DA9B7F55E5EE37124296A12A520A393DA159BD58
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:{"experiments":{}}

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\storage.sqlite

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:SQLite 3.x database, user version 131075, last written using SQLite version 3036000, page size 512, file counter 5, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 5
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):4096
                                                                                                                                                                                                    Entropy (8bit):2.6371036508869365
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:24:Jmvkfc3dVuBlVcR9YzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:wsU3dVuBlVo9WXtR+JdkOnohYsl
                                                                                                                                                                                                    MD5:A1B07EDB904D2A534AB10C2F03A567FB
                                                                                                                                                                                                    SHA1:F917538CE44A2DD3E8C153A06E11B1FCE0563A43
                                                                                                                                                                                                    SHA-256:FD70D9A69FC0C6661276A2107697448F85BA3D585682A7B98013CF57C199CC48
                                                                                                                                                                                                    SHA-512:5EE0E4FA48DD24A2D77EFAA41BBF3CDFA8F261DBA496887F6E77AE7403093731603ABD1C2BF26B12E15DCC3E59BBEE7C46E288531BD20484AF4AE06900E26FE1
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................S`....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\storage\default\moz-extension+++5e736be9-c24e-4afd-9b82-80cfe7b06e1d^userContextId=4294967295\.metadata-v2

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):193
                                                                                                                                                                                                    Entropy (8bit):4.891473167183421
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:HPDHtllDHXp+aRcIhllT3UHAgg1gi3xQWQ+aRcIhllbhNWegg1gi3xQWQ+aRcIhl:bp3/RRzF3UgnP3xQRRzNdnP3xQRRzn
                                                                                                                                                                                                    MD5:BF07CFB708A4524B9DB521B8EE264943
                                                                                                                                                                                                    SHA1:A12D4A7A3498BB8691B7D04D9660E6EA456EE2D2
                                                                                                                                                                                                    SHA-256:FE9654B87AB57C74D484D16AE78B24DB0F13AB398B50F72C1341E4D37B25CCAB
                                                                                                                                                                                                    SHA-512:FFA7F5AB350D1DDEBA73A6E85FF3658DEDC1375F38DDB2F25EDC26C3826AB5C7DD4BD327C368E9AB7BE9BA8DD0ABE56AD7112B9FB2C1F754A287670E4A840402
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:....y.X.............^userContextId=4294967295...=5e736be9-c24e-4afd-9b82-80cfe7b06e1d^userContextId=4294967295...Mmoz-extension://5e736be9-c24e-4afd-9b82-80cfe7b06e1d^userContextId=4294967295.

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\storage\permanent\chrome\.metadata-v2

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:TTComp archive data, binary, 2K dictionary
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):42
                                                                                                                                                                                                    Entropy (8bit):3.0009230918800167
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:Hxk/teaIAlr7IAln:Rk/tecRBl
                                                                                                                                                                                                    MD5:E1E1A76BB1C74CE8EC79114AD58F62D2
                                                                                                                                                                                                    SHA1:0BBDF3BA614B36D1FD65C53860580265F071E9BC
                                                                                                                                                                                                    SHA-256:E12D9EBBFEE840632D4EB171C83DADC75A783AA37C7403B1B4217665992C7A20
                                                                                                                                                                                                    SHA-512:ABC51712E764CA3252671C1935ED3F724A2A4990EC6D84946E16DABB561AD25CC0F8A21A3CDCF1BB59A4CADADCB03CF5A348AF489B34755963D70098D7467E56
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:....y.?..................chrome....chrome.

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\times.json

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):50
                                                                                                                                                                                                    Entropy (8bit):4.215337750470312
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:YGXgtwXKCwXQyn:YGwtwXKCwX9
                                                                                                                                                                                                    MD5:D225A59C5B74BF18CC657C60D2616DEC
                                                                                                                                                                                                    SHA1:DDA772207EEBB79E3A8E6636EA4A7C21F5B8D43B
                                                                                                                                                                                                    SHA-256:B4E35BD14093ED3AD1D84425C20B2390139D52FAB401AC5878DE0BE5681729B7
                                                                                                                                                                                                    SHA-512:2CF4D0561A52FF9464D5DE2D0B6931EDE1AE7318CAB683B35EDE152E3894D6F625BF625C9891F3B64291D44AB43C8F17E5DC774D48A3FD58D767844D4CB9AC04
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:{"created":1629285002061,"firstUse":1629285002320}

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\webappsstore.sqlite

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:SQLite 3.x database, user version 2, last written using SQLite version 3036000, page size 32768, writer version 2, read version 2, file counter 2, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):98304
                                                                                                                                                                                                    Entropy (8bit):0.048611602651284946
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:6:ltTlg/E7R/Wwhm914iDKrvcwTlNCcVWDeNgLu5e3cwOJrheFDEf:DRgE7Rzhm9GiD0c4NCcVUo58cz16D
                                                                                                                                                                                                    MD5:53A195DF99875AE1B4515E4406667F5D
                                                                                                                                                                                                    SHA1:EF0370A300086F9F277EF8D13469B1B249287392
                                                                                                                                                                                                    SHA-256:E98F716EF4284202DA2088DB96C2B9E40EFA0EB5E21F42BF0C48B67606021DB6
                                                                                                                                                                                                    SHA-512:CECD5389FB8643878BB913324A54B53EEC5C16F0EC842ED780F39EBE052D87A1CB95E8C7F75FB0AC1617BB8B0253D2E0F13CA55A984770D54F16C537AA2C5749
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................S`.....~...r~.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\webappsstore.sqlite-shm

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):32768
                                                                                                                                                                                                    Entropy (8bit):0.017262956703125623
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                                                                                    MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                                                                                    SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                                                                                    SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                                                                                    SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\xulstore.json

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):2
                                                                                                                                                                                                    Entropy (8bit):1.0
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:H:H
                                                                                                                                                                                                    MD5:99914B932BD37A50B983C5E7C90AE93B
                                                                                                                                                                                                    SHA1:BF21A9E8FBC5A3846FB05B4FA0859E0917B2202F
                                                                                                                                                                                                    SHA-256:44136FA355B3678A1146AD16F7E8649E94FB4FC21FE77E8310C060F61CAAFF8A
                                                                                                                                                                                                    SHA-512:27C74670ADB75075FAD058D5CEAF7B20C4E7786C83BAE8A32F626F9782AF34C9A33C2046EF60FD2A7878D378E29FEC851806BBD9A67878F3A9F1CDA4830763FD
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:{}

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Lite\xulstore.json.tmp

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):214
                                                                                                                                                                                                    Entropy (8bit):4.527201653691532
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:6:YGNTG/SJsAUv54rHWccHCtKgf1ERV2fVH8qLO:YGNdciHWnUKgfi2tH8aO
                                                                                                                                                                                                    MD5:698C1CC45A0C70D2C8B68BF3C7256400
                                                                                                                                                                                                    SHA1:CF417032A45650B1AB7CCB8120A822A2B803EFB4
                                                                                                                                                                                                    SHA-256:DB6C9F872F33B02A3FCD9B7D7968E7BFE5A8220C1E0403AF094751A30F05EA85
                                                                                                                                                                                                    SHA-512:DBADD4A956BFC7ECDC990089F56F0FCB9A18695620C6B702049F14A466E3D2B779A260A589076217D3FC659E5EECE101FD205D3012A614F9FD32AB11E919DE24
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:{"chrome://browser/content/browser.xhtml":{"main-window":{"screenX":"4","screenY":"4","width":"1296","height":"975","sizemode":"normal"},"sidebar-box":{"sidebarcommand":"","width":""},"sidebar-title":{"value":""}}}

                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Zoom.exe

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):357376
                                                                                                                                                                                                    Entropy (8bit):7.851905543593135
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:6144:FqGQ3yZ9DfOoAHkhjoW6Pj1EuY6nxMjayFG1guB/yz6VSVYPxfN3eFS0I:FzQrFkhjoWC1EgnSj9F+gkmKXJ0
                                                                                                                                                                                                    MD5:DA30EAB35F763BC0C5100F7DA5F8E676
                                                                                                                                                                                                    SHA1:218134A4B2E2D00EA18CF528AE35431A01474FE3
                                                                                                                                                                                                    SHA-256:80E520BD05E9F430994D7108AA44E756421BB5BA84EF12972ECB280545BCEF3A
                                                                                                                                                                                                    SHA-512:68A209C85C60CD75EBA6EBC0D8A29EBDF4AE869D962CFC8D68DFAE72304553F15873F3DFCCA6B110E716B5C4F525447F5901050CC02F9AC61755174CA60F076F
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 45%
                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7b................0..j............... ........@.. ....................................@.................................`...K.......`............................................................................ ............... ..H............text....i... ...j.................. ..`.rsrc...`............l..............@..@.reloc...............r..............@..B........................H..........DW..........,................................................*...(....*..(....*..0..".......8......*... ....o....8H.......o......o....o......8^..... '..p ^Wj[a~p...{X...a(3...(....o....8...... .[. ....b ....a~p...{....a(3...(....o....8....s......8..... @........%.....(....s......8..........s......8.........o....8....s......8.......o....s......8.............8..........o....&8.......(......8.......s......8.........o....8......o......8..........9....8......o....8..

                                                                                                                                                                                                    Chrome Cache Entry: 149

                                                                                                                                                                                                    Download File
                                                                                                                                                                                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                    File Type:ASCII text, with very long lines (6117)
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):6122
                                                                                                                                                                                                    Entropy (8bit):5.799814709564751
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:96:M/ESldIN6666V2FbnZNUvKkLWdoVc5OuvElinLs9xMC5s1p1l0Fd66666WPUH88H:M/EAeN6666VezZNfCyicIUfQ915s1iF2
                                                                                                                                                                                                    MD5:361304B57F3E0C7D8EBCB2640854CD8B
                                                                                                                                                                                                    SHA1:2AE37BF6C8A8BB2024C90AB8BB1DF005BB7FD5DD
                                                                                                                                                                                                    SHA-256:429D9AFF4449ED355995FEB895458A6CAFF33343480DC7D9D17CCEC1FC0A5944
                                                                                                                                                                                                    SHA-512:B18438FB1F6F3184C6CAFBBDE39E929917E1109BB65F9FEC874C7B60BB97197AAC1F5F6ACA3796E566F95B06FC1E3C9551B0D016B4D359FB0826CC69B04CC5FA
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview:)]}'.["",["isha death arcane","chargers bengals football game","super micro computer stock","motortrend roadkill","spacex starship launch","weather forecast snow storm","prague pro bodybuilding results","drake bulldogs"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChoIkk4SFQoRVHJlbmRpbmcgc2VhcmNoZXMoCg\u003d\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"google:entityinfo":"Cg0vZy8xMWJ3Mm1kamMxEhRSb2Fka2lsbCDigJQgVFYgc2hvdzKHEGRhdGE6aW1hZ2UvanBlZztiYXNlNjQsLzlqLzRBQVFTa1pKUmdBQkFRQUFBUUFCQUFELzJ3Q0VBQWtHQndnSEJna0lCd2dLQ2drTERSWVBEUXdNRFJzVUZSQVdJQjBpSWlBZEh4OGtLRFFzSkNZeEp4OGZMVDB0TVRVM09qbzZJeXMvUkQ4NFF6UTVPamNCQ2dvS0RRd05HZzhQR2pjbEh5VTNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTi8vQUFCRUlBRUFBUUFNQklnQUNFUUVERVFIL3hBQWJBQUFDQXdFQkFRQUFBQUFBQUFBQUFBQUNBd0FFQlFZQkIvL0VBRFlRQUFFRUFRTUNCQVVCQlFrQUFBQUFBQUVDQXdRUkJRQVNJUVl4RXlKQlVRY1VZWEdCa1JVeW9lSHdJeVJDUTFLaXNjSFIvO

                                                                                                                                                                                                    Static File Info

                                                                                                                                                                                                    General

                                                                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                    Entropy (8bit):7.851905543593135
                                                                                                                                                                                                    TrID:
                                                                                                                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                                                    File name:Zoom.exe
                                                                                                                                                                                                    File size:357'376 bytes
                                                                                                                                                                                                    MD5:da30eab35f763bc0c5100f7da5f8e676
                                                                                                                                                                                                    SHA1:218134a4b2e2d00ea18cf528ae35431a01474fe3
                                                                                                                                                                                                    SHA256:80e520bd05e9f430994d7108aa44e756421bb5ba84ef12972ecb280545bcef3a
                                                                                                                                                                                                    SHA512:68a209c85c60cd75eba6ebc0d8a29ebdf4ae869d962cfc8d68dfae72304553f15873f3dfcca6b110e716b5c4f525447f5901050cc02f9ac61755174ca60f076f
                                                                                                                                                                                                    SSDEEP:6144:FqGQ3yZ9DfOoAHkhjoW6Pj1EuY6nxMjayFG1guB/yz6VSVYPxfN3eFS0I:FzQrFkhjoWC1EgnSj9F+gkmKXJ0
                                                                                                                                                                                                    TLSH:2B741282B1DBC251DAA826B5C4D758580BFBB3933937C9463E4516A86E033FDCF49B84
                                                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7b................0..j............... ........@.. ....................................@................................

                                                                                                                                                                                                    File Icon

                                                                                                                                                                                                    Icon Hash:90cececece8e8eb0

                                                                                                                                                                                                    Static PE Info

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Entrypoint:0x4589ae
                                                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                                                    Digitally signed:false
                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                    Time Stamp:0xACB26237 [Mon Oct 24 09:28:23 2061 UTC]
                                                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                                                    OS Version Major:4
                                                                                                                                                                                                    OS Version Minor:0
                                                                                                                                                                                                    File Version Major:4
                                                                                                                                                                                                    File Version Minor:0
                                                                                                                                                                                                    Subsystem Version Major:4
                                                                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                                                    Instruction
                                                                                                                                                                                                    jmp dword ptr [00402000h]
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al
                                                                                                                                                                                                    add byte ptr [eax], al

                                                                                                                                                                                                    Data Directories

                                                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x589600x4b.text
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x5a0000x560.rsrc
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x5c0000xc.reloc
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                    Sections

                                                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                    .text0x20000x569b40x56a00112a060d6044ecca04bbc963a28b4778False0.919758409992785data7.8678306288821815IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                    .rsrc0x5a0000x5600x600c68e9300dd5016a890fedb5353d1d463False0.4016927083333333data3.93556050368482IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                    .reloc0x5c0000xc0x200d4072833d0f568bb3e3e4efba9c939b2False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                    Resources

                                                                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                    RT_VERSION0x5a0a00x2d4data0.43370165745856354
                                                                                                                                                                                                    RT_MANIFEST0x5a3740x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                                                    Imports

                                                                                                                                                                                                    DLLImport
                                                                                                                                                                                                    mscoree.dll_CorExeMain

                                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                                    Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                                    Statistics

                                                                                                                                                                                                    CPU Usage

                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                    Memory Usage

                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                                                    Behavior

                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                    System Behavior

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:0
                                                                                                                                                                                                    Start time:14:57:57
                                                                                                                                                                                                    Start date:18/11/2024
                                                                                                                                                                                                    Path:C:\Users\user\Desktop\Zoom.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\Zoom.exe"
                                                                                                                                                                                                    Imagebase:0xec0000
                                                                                                                                                                                                    File size:357'376 bytes
                                                                                                                                                                                                    MD5 hash:DA30EAB35F763BC0C5100F7DA5F8E676
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:2
                                                                                                                                                                                                    Start time:14:57:57
                                                                                                                                                                                                    Start date:18/11/2024
                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String'
                                                                                                                                                                                                    Imagebase:0xeb0000
                                                                                                                                                                                                    File size:433'152 bytes
                                                                                                                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:3
                                                                                                                                                                                                    Start time:14:57:57
                                                                                                                                                                                                    Start date:18/11/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                    Imagebase:0x7ff7d8bf0000
                                                                                                                                                                                                    File size:875'008 bytes
                                                                                                                                                                                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:4
                                                                                                                                                                                                    Start time:14:58:09
                                                                                                                                                                                                    Start date:18/11/2024
                                                                                                                                                                                                    Path:C:\Users\user\AppData\Roaming\Zoom.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:"C:\Users\user\AppData\Roaming\Zoom.exe"
                                                                                                                                                                                                    Imagebase:0x250000
                                                                                                                                                                                                    File size:357'376 bytes
                                                                                                                                                                                                    MD5 hash:DA30EAB35F763BC0C5100F7DA5F8E676
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                    Antivirus matches:
                                                                                                                                                                                                    • Detection: 100%, Avira
                                                                                                                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                    • Detection: 45%, ReversingLabs
                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:5
                                                                                                                                                                                                    Start time:14:58:17
                                                                                                                                                                                                    Start date:18/11/2024
                                                                                                                                                                                                    Path:C:\Users\user\AppData\Roaming\Zoom.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:"C:\Users\user\AppData\Roaming\Zoom.exe"
                                                                                                                                                                                                    Imagebase:0x530000
                                                                                                                                                                                                    File size:357'376 bytes
                                                                                                                                                                                                    MD5 hash:DA30EAB35F763BC0C5100F7DA5F8E676
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:7
                                                                                                                                                                                                    Start time:14:58:35
                                                                                                                                                                                                    Start date:18/11/2024
                                                                                                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\explorer.exe
                                                                                                                                                                                                    Imagebase:0x7ff6dd5a0000
                                                                                                                                                                                                    File size:4'849'904 bytes
                                                                                                                                                                                                    MD5 hash:5EA66FF5AE5612F921BC9DA23BAC95F7
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:15
                                                                                                                                                                                                    Start time:14:58:55
                                                                                                                                                                                                    Start date:18/11/2024
                                                                                                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\explorer.exe
                                                                                                                                                                                                    Imagebase:0x7ff6dd5a0000
                                                                                                                                                                                                    File size:4'849'904 bytes
                                                                                                                                                                                                    MD5 hash:5EA66FF5AE5612F921BC9DA23BAC95F7
                                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:22
                                                                                                                                                                                                    Start time:14:59:50
                                                                                                                                                                                                    Start date:18/11/2024
                                                                                                                                                                                                    Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                                                                                                                                                                    Imagebase:0x7ff781530000
                                                                                                                                                                                                    File size:2'742'376 bytes
                                                                                                                                                                                                    MD5 hash:BB7C48CDDDE076E7EB44022520F40F77
                                                                                                                                                                                                    Has elevated privileges:
                                                                                                                                                                                                    Has administrator privileges:
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:moderate
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:23
                                                                                                                                                                                                    Start time:14:59:50
                                                                                                                                                                                                    Start date:18/11/2024
                                                                                                                                                                                                    Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2220,i,9109457994456723034,8271552518861750300,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2224 /prefetch:3
                                                                                                                                                                                                    Imagebase:0x7ff781530000
                                                                                                                                                                                                    File size:2'742'376 bytes
                                                                                                                                                                                                    MD5 hash:BB7C48CDDDE076E7EB44022520F40F77
                                                                                                                                                                                                    Has elevated privileges:
                                                                                                                                                                                                    Has administrator privileges:
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:moderate
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Target ID:26
                                                                                                                                                                                                    Start time:15:00:52
                                                                                                                                                                                                    Start date:18/11/2024
                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                    Imagebase:0x7ff78a1f0000
                                                                                                                                                                                                    File size:57'360 bytes
                                                                                                                                                                                                    MD5 hash:F586835082F632DC8D9404D83BC16316
                                                                                                                                                                                                    Has elevated privileges:
                                                                                                                                                                                                    Has administrator privileges:
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                    Disassembly

                                                                                                                                                                                                    Reset < >

                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                      Function 07841820 Relevance: .6, Instructions: 591COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.120991450470.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7840000_powershell.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 9ece3f76b044a9306d36274ad094dee0fbdc76c21364be53f57a3ac5b7d47292
                                                                                                                                                                                                      • Instruction ID: 09e8559643293813c53bfd15310593dae4ba36d76f5b12e4a8e94d8330750f06
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9ece3f76b044a9306d36274ad094dee0fbdc76c21364be53f57a3ac5b7d47292
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 621257B5F0031D8FDB24DFA488157AABBA29FE2665F14807BD505CF641EAB1CC81C791
                                                                                                                                                                                                      Function 04923C00 Relevance: .3, Instructions: 314COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.120984698451.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_4920000_powershell.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: e3b92da246d342bf77f4b6cf6edfb36a9c02d6d2457ebdafb68411bf5f508d58
                                                                                                                                                                                                      • Instruction ID: 6c06673c8af967605d750597805549fa4b6f0af8d687a36ba379cc44d66fa861
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e3b92da246d342bf77f4b6cf6edfb36a9c02d6d2457ebdafb68411bf5f508d58
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1CD13734E01219AFDB15CFA8D584A9DFBF2BF88310F258569E804AB366C735ED45CB90
                                                                                                                                                                                                      Function 07841804 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.120991450470.0000000007840000.00000040.00000800.00020000.00000000.sdmp, Offset: 07840000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_7840000_powershell.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 31a50e53ca464f9a669b44c7c58cfc7e1da3d7eee7397e77354cb78c16ef2d9b
                                                                                                                                                                                                      • Instruction ID: 8cbb95af08c2e1ad0d9512cf1bfb48768041e6c897411a29a18f30be009ba45f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 31a50e53ca464f9a669b44c7c58cfc7e1da3d7eee7397e77354cb78c16ef2d9b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1B4127B1F0130ECFCB248F948805AAA7FB3ABA1655F5840A6D804DB251D774CC81C792
                                                                                                                                                                                                      Function 04923BF0 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.120984698451.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_4920000_powershell.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: ad87c419bc6ac660c1a31668dad7d6c0b4825ccff71d1105dee43df6fa7e6f11
                                                                                                                                                                                                      • Instruction ID: 9c46f5fe0ec1ae0e33ba12cbcc4df75f8aa87d988dd742feb30b69f35b327d12
                                                                                                                                                                                                      • Opcode Fuzzy Hash: ad87c419bc6ac660c1a31668dad7d6c0b4825ccff71d1105dee43df6fa7e6f11
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 79212C74A002199FCB10CFA8C580AAEFBB5FF49310B1585A9E949AB351C735FD51CBA1
                                                                                                                                                                                                      Function 00EAD005 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.120983696202.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_ead000_powershell.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 1bb3a0c35ea4a4378db54ad8ed7def256e8b8056c155e062d7e30f733cbc040d
                                                                                                                                                                                                      • Instruction ID: 1f8c5650bfa698215f3c967ff8aba6a2d1d714e06b06b8f6dae8978c94d78f06
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1bb3a0c35ea4a4378db54ad8ed7def256e8b8056c155e062d7e30f733cbc040d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0A01406100E3C05FE7128B258C94752BFB49F57224F1D80DBD8989F193C2695849C772
                                                                                                                                                                                                      Function 00EAD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.120983696202.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_ead000_powershell.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: b26e626efaddd52d4fdd3ba811298c36889312030fd4c48ec25bc8560f8a6b43
                                                                                                                                                                                                      • Instruction ID: 05d542d1a581463f587e2117f05a6148b470a7bd7b2ed88a3aa6273ebf5f20a9
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b26e626efaddd52d4fdd3ba811298c36889312030fd4c48ec25bc8560f8a6b43
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3C01A771408740AFE7104E25CCC4B67BBA9DF5A734F18845AEC465E682C279A845DAB1
                                                                                                                                                                                                      Function 04922C06 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000002.00000002.120984698451.0000000004920000.00000040.00000800.00020000.00000000.sdmp, Offset: 04920000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_2_2_4920000_powershell.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 61b40c82fc367c60fd56f1a8db0a6ae312bb616e9d460d9b9dce332e1d372174
                                                                                                                                                                                                      • Instruction ID: b2975caaa338c431fdfb7bc3c821d2db4c959af83119d36bc7e1f2683492151f
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 61b40c82fc367c60fd56f1a8db0a6ae312bb616e9d460d9b9dce332e1d372174
                                                                                                                                                                                                      • Instruction Fuzzy Hash: DFF01735A001089FCB14CB89D890AEEF7B1FF88324F208199E515A72A0C736A862CB50

                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                      Function 00BA1758 Relevance: .3, Instructions: 256COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: b56195791e5dad9abcc2e52e8b31bef20a08dadab755355dcc27cbe2eb147a03
                                                                                                                                                                                                      • Instruction ID: 3c4c16ca2894fb6cc0341c4e3f2386cb16e60a34003e61ae753bb0e1f02fa20e
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b56195791e5dad9abcc2e52e8b31bef20a08dadab755355dcc27cbe2eb147a03
                                                                                                                                                                                                      • Instruction Fuzzy Hash: ECA1BC34A046008FD715DF69D494A9EBBF2FF89350F1585A9E416EB3A1DB74EC01CB90
                                                                                                                                                                                                      Function 00BA11DD Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 44c99e78993b50a68a17cd19778ba5c8438e916b1a5b1db2a3fc6b6f60ddd909
                                                                                                                                                                                                      • Instruction ID: 0221ba6d5d7f7cd45920691bad817cd169d00f1cd10021b56e355f594b9cf26c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 44c99e78993b50a68a17cd19778ba5c8438e916b1a5b1db2a3fc6b6f60ddd909
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 20513B74B14114CFCB44EFA9C898AADBBF2BF89700F2544A9E506EB3A1DE749C45CB50
                                                                                                                                                                                                      Function 00BA10CF Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: b80e775d83790803907f861d862c88dd7d3270ff0a6580a56ccdd6e86e44e17d
                                                                                                                                                                                                      • Instruction ID: 48bec7f3956591caebc81bceda6e4faf5204db1d450802e082767e226a9c0a16
                                                                                                                                                                                                      • Opcode Fuzzy Hash: b80e775d83790803907f861d862c88dd7d3270ff0a6580a56ccdd6e86e44e17d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 351103343083404FC386EB79DC68A2A7BE1EFC9350B1540AAE805CB3A2DE64DC048B81
                                                                                                                                                                                                      Function 00BA10E0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 22f1fcb2eac61385a00d0cf78de1a1617f3d02ddb15f0d4b946d5385d18f78dc
                                                                                                                                                                                                      • Instruction ID: 4c129e685fe7b138044c1a6735168510b8d2c8b603d5379c3c55f51e21258f57
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 22f1fcb2eac61385a00d0cf78de1a1617f3d02ddb15f0d4b946d5385d18f78dc
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2F11CE343043009FC795EB7ED898E2A77E6EBC9750B1081A9E906CB354EF64DC018B91
                                                                                                                                                                                                      Function 00BAFE78 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: f91962925ddc25f9942fdc3d72fd5fbf15eb975672909640465e588705406fef
                                                                                                                                                                                                      • Instruction ID: cff682c27077a5ee7f3c1d403cb6e866135c51b9ed1f4c6c99ea492ce005d02d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f91962925ddc25f9942fdc3d72fd5fbf15eb975672909640465e588705406fef
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6101B575B04508ABCB15EFE9E005AAF77A7DBC5710F14C06AE51297389CE3C5E018BE5
                                                                                                                                                                                                      Function 00BA11B4 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 5cc3ce3907fabb0b0208715173735afaad0d30aea5e0c55571f31e52f90a070b
                                                                                                                                                                                                      • Instruction ID: 311ff6dfacd021ef016e80751609d9f56960a1a12b1de00607d2819b9f43eeeb
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5cc3ce3907fabb0b0208715173735afaad0d30aea5e0c55571f31e52f90a070b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: FDF022747090009FCB84DBBAC858F6B3BE5DBC9381F2001AAE607DB390CAA04D059BA1
                                                                                                                                                                                                      Function 00BA08F1 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: d28d4113c0953fe96b59d04fe0605bd5d217252483db8a56f9a65daf11c1135e
                                                                                                                                                                                                      • Instruction ID: 4cc7b3a48817b096f7a5b5f316e753230155ff50487e3c070a57332a3d9582e3
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d28d4113c0953fe96b59d04fe0605bd5d217252483db8a56f9a65daf11c1135e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: F1F0A524A9E3D91FCB534A201CA86D93F309F03000F4A01EBC885CF5E3C289550ED366
                                                                                                                                                                                                      Function 00BA0897 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: bf024615d117b556571df267a8d752f9fc99a48410d791d639132a5e5b66ea8c
                                                                                                                                                                                                      • Instruction ID: 8898facddb2fe30bb22ec7dd656e8150bbed99e874fbb667b78f327735fc2763
                                                                                                                                                                                                      • Opcode Fuzzy Hash: bf024615d117b556571df267a8d752f9fc99a48410d791d639132a5e5b66ea8c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E1F0823056D389EFC702DF709CA58EC7BB1EA02310B1145EEC806CB293D7345E09A795
                                                                                                                                                                                                      Function 00BA0860 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 6ed5e8e71382d74f0cf13aa311c1cd320ea81ba40d6c93e70ae0d7556e274196
                                                                                                                                                                                                      • Instruction ID: 9d86163ee7bbce525632365dabdbac8cc02f439e662e19db53b4b569e6960da2
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6ed5e8e71382d74f0cf13aa311c1cd320ea81ba40d6c93e70ae0d7556e274196
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 24E0025029EBE66FC3934B284C795AA7F70990310038D05EB98C1CB1EBC609A92DD3A7
                                                                                                                                                                                                      Function 00BA08A8 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 4595b8b2609c55d9c9b57793dd665b99a0f4483b3a34a3b2d0f63bb5732ed865
                                                                                                                                                                                                      • Instruction ID: 9c46872e6004953209f854cb1efd66e84b39feafc8d49156563cd50184b6bcba
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4595b8b2609c55d9c9b57793dd665b99a0f4483b3a34a3b2d0f63bb5732ed865
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E2E04F30929309EF9704EFB1D9A196CB7F9FB46311B208499D80A93251DA355E00A7D5
                                                                                                                                                                                                      Function 00BA0CD7 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 1a9f0708ec8bc109c956beb8b4341f7027f06c2fead16a7fc4bc87cb1fbc44d0
                                                                                                                                                                                                      • Instruction ID: 80139f9f6da7026de1a4dfcd94484832574fc8ddfcd62438222e2c83b4064e39
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1a9f0708ec8bc109c956beb8b4341f7027f06c2fead16a7fc4bc87cb1fbc44d0
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 79E0867592C210CFD305AF16D9882E5B7E4FB0A340F0645F6C9466B215C735A905DF41
                                                                                                                                                                                                      Function 00BA366B Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: c5956104aba7ea8da58913d366900ee93b8a2e40be23553ee37c322d5f28bfd5
                                                                                                                                                                                                      • Instruction ID: 894ef7a58cdeb774e8a67b34f81168ad55a6e8a0fa65a4b5f058725ca66dd9fa
                                                                                                                                                                                                      • Opcode Fuzzy Hash: c5956104aba7ea8da58913d366900ee93b8a2e40be23553ee37c322d5f28bfd5
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 59C01234B09004ABEB0457A5E91057CB6B2EB84301F104514F802522E0C9211D046705
                                                                                                                                                                                                      Function 00BA0940 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 749baa12f421f5ef1b3d0402a65087941d58b30120032a96c484833ae89b6d83
                                                                                                                                                                                                      • Instruction ID: 25ec44d933230578dc11677ee891667c9ea1ef4085080e8530e2abc8251180e4
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 749baa12f421f5ef1b3d0402a65087941d58b30120032a96c484833ae89b6d83
                                                                                                                                                                                                      • Instruction Fuzzy Hash: B690223000830C8B00002BAA3808000B30CC0000023C00020A00C02C028A8020000282

                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                      Function 00BA1AA8 Relevance: .7, Instructions: 660COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 1a4e0212ea1b6f73811c3c79a50f5006d200f381c4f9b97e34ff0f4be478ea38
                                                                                                                                                                                                      • Instruction ID: 26befa4cd26088e8e10c34fac75d0c93644111a8fb418599ad0b8746a559d1f6
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1a4e0212ea1b6f73811c3c79a50f5006d200f381c4f9b97e34ff0f4be478ea38
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 37523CE6E0D6D54FC702CB74986829EFFF2AFA720475985DED0905B247E328E846C742
                                                                                                                                                                                                      Function 00BA1B92 Relevance: .6, Instructions: 571COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: cfb0098e7e7e55faaf1df0e3fa286be582867132af26356c8445fb2754cb014c
                                                                                                                                                                                                      • Instruction ID: 085798504d26ac632cf63ae0cb8809c3b1051f2c2f91169a26381cc6810ae2b7
                                                                                                                                                                                                      • Opcode Fuzzy Hash: cfb0098e7e7e55faaf1df0e3fa286be582867132af26356c8445fb2754cb014c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8D321AEAE0D6C54FC702CB34987828DFFF2AF6720875985DFD4905B247E228A846C742
                                                                                                                                                                                                      Function 00BA1B33 Relevance: .6, Instructions: 571COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 96602fb519be51524e0d62b7678e4215e784c592351d7324155d0dddc159379a
                                                                                                                                                                                                      • Instruction ID: a0ba257aa90cb8d3914e73c54b3e22c0823123fa5c12f4eec15150a6b6b3a297
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 96602fb519be51524e0d62b7678e4215e784c592351d7324155d0dddc159379a
                                                                                                                                                                                                      • Instruction Fuzzy Hash: A2321AEAE0D6C54FC702CB34987828DFFF2AF6721875985DFD0905B647E228A846C742
                                                                                                                                                                                                      Function 00BA1B07 Relevance: .6, Instructions: 571COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 5877984a64c043bf2f40b901815ed15746c6424590889f726928dcc4530c485d
                                                                                                                                                                                                      • Instruction ID: f8d1edd0a3a61403289c6ac11b45052f1211ecf2a67fd91b90ea64fa8da316b6
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5877984a64c043bf2f40b901815ed15746c6424590889f726928dcc4530c485d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 47321BEAE0D6C54FC702CB74987828DFFF2AF6721875985DFD0905B647E228A846C742
                                                                                                                                                                                                      Function 00BA1AF2 Relevance: .6, Instructions: 570COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: e08f2f001c6ff6defe2174baeefc678c198c03b17b559e8f835f23ff2ae9a183
                                                                                                                                                                                                      • Instruction ID: a8acae1bfd15fc58a38648f3cd9056225dca02ae8d2544a4991c224a2b7c4698
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e08f2f001c6ff6defe2174baeefc678c198c03b17b559e8f835f23ff2ae9a183
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9C320AEAE0D6C54FC702CB34987828DFFF2AF6721875985DFD4905B647E228A846C742
                                                                                                                                                                                                      Function 00BA1B1E Relevance: .6, Instructions: 570COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: f7283e5bbbfaeada735abd64d158e882e5264d1c6777a115f8b6ff48ac7cb410
                                                                                                                                                                                                      • Instruction ID: c3f00fdb38100d0cbc27bad7327e157fc382b5776c6c60211e2f9a7d90f01606
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f7283e5bbbfaeada735abd64d158e882e5264d1c6777a115f8b6ff48ac7cb410
                                                                                                                                                                                                      • Instruction Fuzzy Hash: E2321BEAE0D6C54FC702CB34987828DFFF2AF6721875985DFD0905B647E228A846C742
                                                                                                                                                                                                      Function 00BA1B7A Relevance: .6, Instructions: 570COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 16d4d3149e3d1d6101b107f2de76ac66fcaa2d4cf88be7871e96e600ea9a79a1
                                                                                                                                                                                                      • Instruction ID: e069f40fee76706a578da91c23e229cb164db0161d83472761cf1f0d33312cf5
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 16d4d3149e3d1d6101b107f2de76ac66fcaa2d4cf88be7871e96e600ea9a79a1
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5A320BEAE0D6C54FC702CB34987828DFFF2AF6711875985DFD0905B647E228A846C742
                                                                                                                                                                                                      Function 00BA1B62 Relevance: .6, Instructions: 570COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: e55bbeaa27ad00775d2249044ff8baede1da9ca303f8069e8eb624aeb9f9c94d
                                                                                                                                                                                                      • Instruction ID: 07d249973907720fe185b840df3efe061da75889b1f629fe05c2cfd2b82cf82c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e55bbeaa27ad00775d2249044ff8baede1da9ca303f8069e8eb624aeb9f9c94d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 50320AEAE0D6C54FC702CB34987828DFFF2AF6721875985DFD0905B647E228A846C742
                                                                                                                                                                                                      Function 00BA1B4A Relevance: .6, Instructions: 570COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: fd9bb029cd2280089ee01d794ebb44cdde15d9f600f3b8f0c92fdfa79ee7e20c
                                                                                                                                                                                                      • Instruction ID: 98e7b1771aa344b0aa63081a39133730c9445708c3ae099b0b521bba1587f601
                                                                                                                                                                                                      • Opcode Fuzzy Hash: fd9bb029cd2280089ee01d794ebb44cdde15d9f600f3b8f0c92fdfa79ee7e20c
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6B320AEAE0D6C54FC702CB34987828DFFF2AF6721875985DFD4905B647E228A846C742
                                                                                                                                                                                                      Function 00BA3BEF Relevance: .6, Instructions: 566COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: eedbcc3c5bccfddba753c0cd8181a484fa1b8a2ac990b8ab06070200752a1d53
                                                                                                                                                                                                      • Instruction ID: e7e06f83249c1a6fef9c281b78cbbe8c965ab5a8a1874a13ce9984f8c6407572
                                                                                                                                                                                                      • Opcode Fuzzy Hash: eedbcc3c5bccfddba753c0cd8181a484fa1b8a2ac990b8ab06070200752a1d53
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6A3209EAE0D6C54FC702CB34987828DFFF2AFA711875985DFD4905B647E228A846C742
                                                                                                                                                                                                      Function 00BA2F25 Relevance: .6, Instructions: 566COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 8cabc61d8f5fdccd920a37992e7184e9ecf80866215a48c170c81b2c8d9f0a9d
                                                                                                                                                                                                      • Instruction ID: 27bfadf267b4fd0fc63e0a51280d5449d7195fe042fe6991b05ab740f41f8805
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8cabc61d8f5fdccd920a37992e7184e9ecf80866215a48c170c81b2c8d9f0a9d
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 56320AEAE0D6C54FC702CB34987828DFFF2AFA711875985DFD4905B647E228A846C742
                                                                                                                                                                                                      Function 00BA3CA2 Relevance: .6, Instructions: 553COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: f4d5eecc006e4df7fba7a9faf4064516321ce88d1adc323899ae321fff917074
                                                                                                                                                                                                      • Instruction ID: 87d0dddcef191aea948c9b393d4f08516f0123465a4e232ede314df3ba154a5c
                                                                                                                                                                                                      • Opcode Fuzzy Hash: f4d5eecc006e4df7fba7a9faf4064516321ce88d1adc323899ae321fff917074
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3F320BEAE0D6D54FC702CB74987828DFFF2AFA611875985DFD0905B247E228A847C742
                                                                                                                                                                                                      Function 00BA4258 Relevance: .2, Instructions: 199COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 80e9256ab1fe3ecfac24d33fda4e666c2f78f832dbb7b1414324326af1d8b1a3
                                                                                                                                                                                                      • Instruction ID: 55ef82b0dd1ec90ed470464833b823d0887a9264ef0e6bb8439954aeda132dda
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 80e9256ab1fe3ecfac24d33fda4e666c2f78f832dbb7b1414324326af1d8b1a3
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 57718B71E0462A8BDF14CFA9C8816AEFBF2FB98304F148669D425E7205D774E946CB90
                                                                                                                                                                                                      Function 00BA14D0 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 0af6728f6232da225a941175ccc4c02a3cbd0d1c34fc7c09fa78effa683c9243
                                                                                                                                                                                                      • Instruction ID: ce65a2767b4cc7d9f18ba47d8b14a19472956409a19c71628fe3bceefd4e0fc1
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0af6728f6232da225a941175ccc4c02a3cbd0d1c34fc7c09fa78effa683c9243
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9A616A70A147449FE34AEF7BE850B99BBF3BBC8344F04C069D0049B268EB789946DB51
                                                                                                                                                                                                      Function 00BA14E0 Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000004.00000002.121247438277.0000000000BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BA0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_4_2_ba0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: de59679db57a7da62ad6aa241b4518c14f12214a57c59449e1ba950d744d8858
                                                                                                                                                                                                      • Instruction ID: 28cbab4642f4d37d7cad6096dada0ff74cef7a2fce8d644f17ce6d113665440b
                                                                                                                                                                                                      • Opcode Fuzzy Hash: de59679db57a7da62ad6aa241b4518c14f12214a57c59449e1ba950d744d8858
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 10513B70A147049FE74AEF7BE850B89BBF3ABC8344F14C469D0049B268EF789946DB51

                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                      Function 010A1758 Relevance: .3, Instructions: 269COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000005.00000002.121329396733.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_10a0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 52457d2a4e34d5b53f3a9e4874b75830b2d29bdb4478c7798a8b5d0c085bc869
                                                                                                                                                                                                      • Instruction ID: cea8811158e3a6199ba98d06da8c9b922a2134713b45f9c7ab2a48e61733e54b
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 52457d2a4e34d5b53f3a9e4874b75830b2d29bdb4478c7798a8b5d0c085bc869
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 56B1DF34A006008FC715DFA9D594A9DBBF2FF89710F9581A9E446EB3A5EB30EC01CB90
                                                                                                                                                                                                      Function 010A11DD Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000005.00000002.121329396733.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_10a0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 538a677054c315abac5d86abd6514cf709921e716cc35bfe7837e9d00ca89019
                                                                                                                                                                                                      • Instruction ID: 1cc29d87ae64b1b2c9550ae77cfe3cf750da0ecdc013f311ffde806c4d3c6f67
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 538a677054c315abac5d86abd6514cf709921e716cc35bfe7837e9d00ca89019
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 97513B74B00114CFCB44EFA9C898AADBBF2BF88700F658469E546EB3A5DE719C41CB50
                                                                                                                                                                                                      Function 010A10CF Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000005.00000002.121329396733.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_10a0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: e49c098a530315820f6a836f9baf1f5a1bcdc5d72fdeb575667fea6fca588762
                                                                                                                                                                                                      • Instruction ID: f899c4dcd108377d3596494e8e90d1b30e9b962298982b8fbb0c28eb32c6c499
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e49c098a530315820f6a836f9baf1f5a1bcdc5d72fdeb575667fea6fca588762
                                                                                                                                                                                                      • Instruction Fuzzy Hash: CE11D3343042419FC746EB79D964E2A7BE5EFC9710B5480AEE446CB3A6DF74DC008B61
                                                                                                                                                                                                      Function 010A10E0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000005.00000002.121329396733.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_10a0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 8672f7f7e5ed3f95852c10f76a90b872e273f4b40abcc1e6d43bce5140f6f769
                                                                                                                                                                                                      • Instruction ID: 582c3c8c4e108e3922c5a8f13e6d1dd0dcc91d94913bab98f26a39e108e0d1f7
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8672f7f7e5ed3f95852c10f76a90b872e273f4b40abcc1e6d43bce5140f6f769
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8D1186343002019FC745EBBAD954E2A7BE6EFC8754B548069E50ACB355EF74DC018BA1
                                                                                                                                                                                                      Function 010AFE78 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000005.00000002.121329396733.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_10a0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: e12f375e082fcfa8fe2a707867788cfe56fcdd18a1c4367b8f03efd79919d4e1
                                                                                                                                                                                                      • Instruction ID: 7a22b3c7793709a6d584577523dad55a67eb6fb6432ee8009fe700999c0762ff
                                                                                                                                                                                                      • Opcode Fuzzy Hash: e12f375e082fcfa8fe2a707867788cfe56fcdd18a1c4367b8f03efd79919d4e1
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 94018C75B443089BDB09EE99E01869FBBA6EBC4710B508099E60287789CF349A018BE5
                                                                                                                                                                                                      Function 010A0897 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000005.00000002.121329396733.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_10a0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 0b679f59e66f9137cf5cdfdbd078822ef447eb59512090acb19264a23d56f252
                                                                                                                                                                                                      • Instruction ID: be5c6431166bcbf20f0997c131b45a0cbce9547874531fe49348c19e6cd4ec36
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0b679f59e66f9137cf5cdfdbd078822ef447eb59512090acb19264a23d56f252
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6FF01C3050974EEFDB01EBA5E9548AC7BB9EF0B34075044D9E986DB219EA306A10E7A1
                                                                                                                                                                                                      Function 010A11AB Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000005.00000002.121329396733.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_10a0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 8cc00f94197f73cc000eb5937362b2a8b1cecde122e3a73e97644200dfc33af0
                                                                                                                                                                                                      • Instruction ID: e53d321e3a84417215b0a1955984bcdd7b6333474d9448b9c9f886fec7518fcb
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8cc00f94197f73cc000eb5937362b2a8b1cecde122e3a73e97644200dfc33af0
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 36E0D876615048DFCB009BF5D998DAF7FB8DF89341F500176F446D7261D67198058770
                                                                                                                                                                                                      Function 010A08A8 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000005.00000002.121329396733.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_10a0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: bcafc04c67210f5768e70604d6a3df50d835da325643125e0ac625e9706e8dcc
                                                                                                                                                                                                      • Instruction ID: 56f77f3434a51cb2922e6f678398af616847f475e29d56c76797bc5e35e17729
                                                                                                                                                                                                      • Opcode Fuzzy Hash: bcafc04c67210f5768e70604d6a3df50d835da325643125e0ac625e9706e8dcc
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7FE04F3090530EEF9700EFA4E94186CB7B9FB05304B504499E486D3308EA316E00ABE5
                                                                                                                                                                                                      Function 010A0CD7 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000005.00000002.121329396733.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_10a0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 907a2c609ede84ad9778c256d6a7e2e26858b62c930e1e05576e394437e8b474
                                                                                                                                                                                                      • Instruction ID: 3912699ae4d2a5ff45a2c9e4786b79d2d958986b7565b0fcf5bdf7bf301ad417
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 907a2c609ede84ad9778c256d6a7e2e26858b62c930e1e05576e394437e8b474
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0AE026B5504104CFD305CF41C9485E8B7E0BB08300F8A41B2E68AAB21CC332E901CF41
                                                                                                                                                                                                      Function 010A0930 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000005.00000002.121329396733.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_10a0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 2e75ff1d0492fd38b6ba523db8c224a88f0cb91e8e9c6aced6582440a4c0c00e
                                                                                                                                                                                                      • Instruction ID: 5ca4e8bb35cf26cf824b789c7b25212652c7baaa11e0598be30050c290a39c12
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2e75ff1d0492fd38b6ba523db8c224a88f0cb91e8e9c6aced6582440a4c0c00e
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6CC04C6A99D3C55FCF030B746C79AD83FB08C1302131542D7EC9AD59E39159540FAB22
                                                                                                                                                                                                      Function 010A4981 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000005.00000002.121329396733.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_10a0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 228fdebc3ed9e4c2c87c586dd5ab59e2b602ee7ed73d8898ba8340b74e1e0c88
                                                                                                                                                                                                      • Instruction ID: 38bf485fef409bd9063d62271008a374f1aa52e3c1ee04446a7a83adc238e9f0
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 228fdebc3ed9e4c2c87c586dd5ab59e2b602ee7ed73d8898ba8340b74e1e0c88
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 68D0C99924A1A08AC60246FA446A7B53BB1DAA1048BCD81DA80C98A127D1588117C745
                                                                                                                                                                                                      Function 010A0880 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000005.00000002.121329396733.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_10a0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 34da07fb2b0ed796503c96db3792ce509ff4615fff69056718543eaade94e514
                                                                                                                                                                                                      • Instruction ID: 5f643969da8bc81d174d81b39105ac26d7f64486d6f0f84cb8cf76f537be8fa1
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 34da07fb2b0ed796503c96db3792ce509ff4615fff69056718543eaade94e514
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 80C0483000ABEA8FCF028B28DE240843B70EE0B30034594C2C284CF073CE24280AE32A
                                                                                                                                                                                                      Function 010A366B Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000005.00000002.121329396733.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_10a0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: 138b67d54da9e0e39492043fd7db6d40440816abb66a34518d6a2f848bbefa30
                                                                                                                                                                                                      • Instruction ID: 9df508798dfa6745cc9c24623d91da398adc580dda83a3caadb4da0662f9147d
                                                                                                                                                                                                      • Opcode Fuzzy Hash: 138b67d54da9e0e39492043fd7db6d40440816abb66a34518d6a2f848bbefa30
                                                                                                                                                                                                      • Instruction Fuzzy Hash: 61C00238B09009FBDF056B95E925AACBA72EF94341F504129F943A23E0CA356D15AB25
                                                                                                                                                                                                      Function 010A0940 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                      • Source File: 00000005.00000002.121329396733.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                      • Snapshot File: hcaresult_5_2_10a0000_Zoom.jbxd
                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                      • Opcode ID: d96e1357fa0fce121d3ea49cb3cc90ceaf5fa2ad15afd56eb1ade81eed959f9b
                                                                                                                                                                                                      • Instruction ID: 715f5ae24c82760366f3cc6dec787e721b5be77f68dee5adc0b1c20e0215c701
                                                                                                                                                                                                      • Opcode Fuzzy Hash: d96e1357fa0fce121d3ea49cb3cc90ceaf5fa2ad15afd56eb1ade81eed959f9b
                                                                                                                                                                                                      • Instruction Fuzzy Hash: BE90023144470F8F454427A57909955775CD9445157804061B50DD1A125A95A41045AB