Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Zoom.exe

Overview

General Information

Sample name:Zoom.exe
Analysis ID:1557990
MD5:da30eab35f763bc0c5100f7da5f8e676
SHA1:218134a4b2e2d00ea18cf528ae35431a01474fe3
SHA256:80e520bd05e9f430994d7108aa44e756421bb5ba84ef12972ecb280545bcef3a
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Set autostart key via New-ItemProperty Cmdlet
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Monitors registry run keys for changes
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64native
  • Zoom.exe (PID: 7556 cmdline: "C:\Users\user\Desktop\Zoom.exe" MD5: DA30EAB35F763BC0C5100F7DA5F8E676)
    • powershell.exe (PID: 7772 cmdline: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • explorer.exe (PID: 7744 cmdline: C:\Windows\explorer.exe MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)
    • explorer.exe (PID: 2140 cmdline: C:\Windows\explorer.exe MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)
      • chrome.exe (PID: 7728 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" MD5: BB7C48CDDDE076E7EB44022520F40F77)
        • chrome.exe (PID: 2980 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2220,i,9109457994456723034,8271552518861750300,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2224 /prefetch:3 MD5: BB7C48CDDDE076E7EB44022520F40F77)
  • Zoom.exe (PID: 1260 cmdline: "C:\Users\user\AppData\Roaming\Zoom.exe" MD5: DA30EAB35F763BC0C5100F7DA5F8E676)
  • Zoom.exe (PID: 7756 cmdline: "C:\Users\user\AppData\Roaming\Zoom.exe" MD5: DA30EAB35F763BC0C5100F7DA5F8E676)
  • svchost.exe (PID: 5852 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: F586835082F632DC8D9404D83BC16316)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    Process Memory Space: Zoom.exe PID: 1260JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: CurrentVersion Autorun Keys Modification
      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Zoom.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7772, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zoom
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String', CommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String', CommandLine|base64offset|contains: E^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Zoom.exe", ParentImage: C:\Users\user\Desktop\Zoom.exe, ParentProcessId: 7556, ParentProcessName: Zoom.exe, ProcessCommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String', ProcessId: 7772, ProcessName: powershell.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 900, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5852, ProcessName: svchost.exe

      Persistence and Installation Behavior

      barindex
      Sigma detected: Set autostart key via New-ItemProperty Cmdlet
      Source: Process startedAuthor: Joe Security: Data: Command: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String', CommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String', CommandLine|base64offset|contains: E^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Zoom.exe", ParentImage: C:\Users\user\Desktop\Zoom.exe, ParentProcessId: 7556, ParentProcessName: Zoom.exe, ProcessCommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String', ProcessId: 7772, ProcessName: powershell.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: Zoom.exeAvira: detected
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Roaming\Zoom.exeAvira: detection malicious, Label: HEUR/AGEN.1323341
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Roaming\Zoom.exeReversingLabs: Detection: 44%
      Multi AV Scanner detection for submitted file
      Source: Zoom.exeReversingLabs: Detection: 44%
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Roaming\Zoom.exeJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: Zoom.exeJoe Sandbox ML: detected
      Source: Zoom.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: Zoom.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Joe Sandbox ViewIP Address: 72.21.81.240 72.21.81.240
      Source: Joe Sandbox ViewIP Address: 9.9.9.9 9.9.9.9
      Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
      Source: handlers.json.0.drString found in binary or memory: {"defaultHandlersVersion":{"en-GB":4},"mimeTypes":{"application/pdf":{"action":3,"extensions":["pdf"]},"text/xml":{"action":3,"extensions":["xml"]},"image/svg+xml":{"action":3,"extensions":["svg"]},"image/webp":{"action":3,"extensions":["webp"]}},"schemes":{"irc":{"stubEntry":true,"handlers":[null,{"name":"Mibbit","uriTemplate":"https://www.mibbit.com/?url=%s"}]},"ircs":{"stubEntry":true,"handlers":[null,{"name":"Mibbit","uriTemplate":"https://www.mibbit.com/?url=%s"}]},"mailto":{"stubEntry":true,"handlers":[null,{"name":"Yahoo! Mail","uriTemplate":"https://compose.mail.yahoo.com/?To=%s"},{"name":"Googlemail","uriTemplate":"https://mail.google.com/mail/?extsrc=mailto&url=%s"}]}}} equals www.yahoo.com (Yahoo)
      Source: cert9.db.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
      Source: powershell.exe, 00000002.00000002.120984169871.0000000003037000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
      Source: powershell.exe, 00000002.00000002.120984169871.0000000003037000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: cert9.db.0.drString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
      Source: cert9.db.0.drString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
      Source: cert9.db.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
      Source: cert9.db.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
      Source: cert9.db.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
      Source: cert9.db.0.drString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
      Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      Source: svchost.exe, 0000001A.00000003.122724068608.000002E4FE000000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/update2/actxsdodvxbjblyjfcbcbc7srcwa_1.3.36.242/GoogleUpda
      Source: powershell.exe, 00000002.00000002.120988706985.0000000005BAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: cert9.db.0.drString found in binary or memory: http://ocsp.digicert.com0
      Source: cert9.db.0.drString found in binary or memory: http://ocsp.pki.goog/gtsr100
      Source: cert9.db.0.drString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
      Source: powershell.exe, 00000002.00000002.120990536175.0000000007508000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.120985265105.0000000004C97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000002.00000002.120985265105.0000000004C97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png4
      Source: cert9.db.0.drString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
      Source: qmgr.db.26.drString found in binary or memory: http://r4---sn-5hnekn7k.gvt1.com/edgedl/release2/chrome/acb3kitere6jimdp6rrtasanb2aq_93.0.4577.82/93
      Source: qmgr.db.26.drString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome/acb3kitere6jimdp6rrtasanb2aq_93.0.4577.82/93.0.457
      Source: qmgr.db.26.drString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/aciwgjnovhktokhzyboslawih45a_2700/jflook
      Source: qmgr.db.26.drString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/acze3h5f67uhtnjsyv6pabzn277q_298/lmelgle
      Source: qmgr.db.26.drString found in binary or memory: http://redirector.gvt1.com/edgedl/release2/chrome_component/dp66roauucji6olf7ycwe24lea_6869/hfnkpiml
      Source: explorer.exe, 00000007.00000003.121388869679.000000000E9F6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121438534222.000000000E9D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.m
      Source: powershell.exe, 00000002.00000002.120985265105.0000000004B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: qmgr.db.26.drString found in binary or memory: http://storage.googleapis.com/update-delta/ggkkehgbnfjpeggfpleeakpidbkibbmn/2021.9.13.1142/2021.9.7.
      Source: qmgr.db.26.drString found in binary or memory: http://storage.googleapis.com/update-delta/jamhcnnkihinmdlkakkaopbjbbcngflc/96.0.4648.2/96.0.4642.0/
      Source: qmgr.db.26.drString found in binary or memory: http://storage.googleapis.com/update-delta/khaoiebndkojlmppeemjhbpbandiljpe/45/43/19f2dc8e4c5c5d0383
      Source: powershell.exe, 00000002.00000002.120990536175.0000000007508000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.120985265105.0000000004C97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000002.00000002.120985265105.0000000004C97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
      Source: powershell.exe, 00000002.00000002.120984169871.00000000030BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
      Source: powershell.exe, 00000002.00000002.120984169871.0000000003037000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
      Source: cert9.db.0.drString found in binary or memory: http://x1.c.lencr.org/0
      Source: cert9.db.0.drString found in binary or memory: http://x1.i.lencr.org/0
      Source: explorer.exe, 00000007.00000003.121365720001.0000000009C66000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.121365508103.0000000009C5A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.121389185482.0000000009C35000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.121384670529.0000000009C35000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009C46000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.121369839866.0000000009C19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.121365088329.0000000009C40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirm#3
      Source: explorer.exe, 0000000F.00000003.122814619555.0000000009178000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121583134853.0000000009178000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.122813453261.0000000009178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmFF
      Source: powershell.exe, 00000002.00000002.120985265105.0000000004B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=7834C1E69F06476EA9E614C5E284C1B3&timeOut=5000&oc
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=BD90711994424F5B8983DD2624ABCF73&timeOut=5000&oc
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehR3S.png
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehR3S.svg
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240908.1/Weather/W01_Sunn
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13eu4J
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13eu4J-dark
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13g0tb
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13g0tb-dark
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gD5m
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gD5m-dark
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDfu
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDfu-dark
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDrC
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gDrC-dark
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF7M
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF7M-dark
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF81
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF81-dark
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gFtr
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gFtr-dark
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHFX
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHFX-dark
      Source: explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
      Source: explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMda
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMda-dark
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPv0
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPv0-dark
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRtf
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRtf-dark
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gowI
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gowI-dark
      Source: handlers.json.0.drString found in binary or memory: https://compose.mail.yahoo.com/?To=%s
      Source: powershell.exe, 00000002.00000002.120988706985.0000000005BAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000002.00000002.120988706985.0000000005BAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000002.00000002.120988706985.0000000005BAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: svchost.exe, 0000001A.00000003.124542010887.000002E4F5EB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.mozilla.org/?product=firefox-96.0.1-complete&os=win64&lang=en-GB3
      Source: svchost.exe, 0000001A.00000003.123662387896.000002E4F5DA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.mozilla.org/?product=firefox-96.0.1-complete&os=win64&lang=en-GBOC:
      Source: qmgr.db.26.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
      Source: Zoom.exe, 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll
      Source: Zoom.exe, 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe
      Source: Zoom.exe, 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe
      Source: powershell.exe, 00000002.00000002.120990536175.0000000007508000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.120985265105.0000000004C97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000002.00000002.120985265105.0000000004C97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester4
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.redirectingat.com?id=74968X1553576&url=https%3A%2F%2Fsokoglam.com%2F&sref=https%3A%2F%2Fw
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.redirectingat.com?id=74968X1553576&url=https%3A%2F%2Fwww.peachandlily.com%2F&sref=https%3
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA18UlKH.img
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA19ywjN.img
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1s3zil.img
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2YAWO.img
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA36Tom.img
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6J22N.img
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6p0E6.img
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHfWvR.img
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAMzyrj.img
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAaeOki.img
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAywHbG.img
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB10dZNR.img
      Source: explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1jtbc8.img
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBY4G4r.img
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBwqLzS.img
      Source: handlers.json.0.drString found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
      Source: qmgr.db.26.drString found in binary or memory: https://msftspeechmodelsprod.azureedge.net/SR/SV10-EV100/en-us-n/MV101/naspmodelsmetadata.xmlPC:
      Source: powershell.exe, 00000002.00000002.120988706985.0000000005BAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000002.00000002.120984169871.0000000003037000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
      Source: cert9.db.0.drString found in binary or memory: https://pki.goog/repository/0
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod-streaming-video-msn-com.akamaized.net/3816fd87-9340-49ae-9112-05e94efcbac4/b99799e0-83d
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod-streaming-video-msn-com.akamaized.net/ebfb1cfc-2642-4461-9462-0635e0a6afdc/b99799e0-83d
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod-video-cms-amp-microsoft-com.akamaized.net/tenant/amp/entityid/AA1oRj32?blobrefkey=close
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://screenrant.com/doctor-who-season-15-fourth-wall-breaks-davies-response/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stacker.com
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stacker.com/business-economy/person-online-or-hybrid-shopping-american-consumer-habits-are-c
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stacker.com/lifestyle/truth-behind-5-unconventional-self-care-rituals-have-gone-viral-tiktok
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stacker.com/pets/animal-shelter-populations-are-heres-why-and-how-shelters-are-responding
      Source: explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stacker.com/stories
      Source: Zoom.exe, 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
      Source: Zoom.exe, 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
      Source: Zoom.exe, 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot
      Source: places.sqlite.0.drString found in binary or memory: https://support.mozilla.org
      Source: favicons.sqlite.0.drString found in binary or memory: https://support.mozilla.org/en-GB/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=fire
      Source: favicons.sqlite.0.drString found in binary or memory: https://support.mozilla.org/en-GB/products/firefox
      Source: places.sqlite.0.drString found in binary or memory: https://support.mozilla.org/en-GB/products/firefoxgro.allizom.troppus.
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-us&chosenMarketReason=implicitExisting
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-us&chosenMarketReason=implicitNew
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-us&chosenMarketReason=implicitExisting
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-us&chosenMarketReason=implicitNew
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.businessinsider.com/nashville-mistakes-what-to-know-about-visiting-according-to-local
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.census.gov/library/stories/2023/09/why-people-move.html
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.census.gov/newsroom/press-releases/2024/population-estimates-more-counties-population-ga
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cnn.com/travel/article/bachelorette-party-nashville-tennessee/index.html
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/content/cocktail-recipes/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/a22999141/thanksgiving-ring-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/a40984750/cannoli-chips-and-dip-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/g1702/casserole-recipes/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/g1967/fall-cocktails-recipes/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/g2021/fall-dessert-recipes/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a21782346/ultimate-chip-and-dip-platter-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a35396804/butternut-squash-potstickers-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a41848738/cranberry-whipped-feta-dip-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a44041/pumpkin-pie-dip-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a45623/bacon-wrapped-jalapenos-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a50000/sweet-potato-bites-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a62779542/cranberry-cream-cheese-spread-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/g2957/easy-fall-dinners/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/g3026/fall-soup-recipes/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/recipes/a44140/pumpkin-deviled-eggs-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/recipes/a50049/green-bean-casserole-bundles-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/recipes/a51423/ham-and-cheese-pinwheels-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/recipes/a55502/pub-beer-cheese-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/recipes/a56997/onion-soup-bread-bowls-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/cooking/recipe-ideas/recipes/a57209/cranberry-brie-pull-apart-bread-recipe/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/food/g2168/bite-size-appetizers/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.delish.com/holiday-recipes/thanksgiving/
      Source: cert9.db.0.drString found in binary or memory: https://www.digicert.com/CPS0
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.elle.com/beauty/makeup-skin-care/g46652382/best-sheet-mask/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.elle.com/beauty/makeup-skin-care/tips/g8091/face-serum/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.elle.com/beauty/makeup-skin-care/tips/g8901/korean-beauty-skincare-routine-10-steps/
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.hollywoodreporter.com/tv/tv-news/sesame-street-changing-format-tales-from-123-season-56-
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.imdb.com/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.instagram.com/aliciayoon212/?hl=en
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.instagram.com/charlottejcho/?hl=en
      Source: handlers.json.0.drString found in binary or memory: https://www.mibbit.com/?url=%s
      Source: places.sqlite.0.drString found in binary or memory: https://www.mozilla.org
      Source: favicons.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-GB/about/
      Source: places.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-GB/about/gro.allizom.www.
      Source: favicons.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-GB/contribute/
      Source: places.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-GB/contribute/gro.allizom.www.
      Source: favicons.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-GB/firefox/central/
      Source: places.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-GB/firefox/central/gro.allizom.www.
      Source: places.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-GB/privacy/firefox/gro.allizom.www.
      Source: upgrade.jsonlz4-20210816143654.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/fV
      Source: favicons.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
      Source: places.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
      Source: favicons.sqlite.0.drString found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon-196x196.2af054fea211.png
      Source: favicons.sqlite.0.drString found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
      Source: places.sqlite.0.drString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpgk
      Source: places.sqlite.0.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/autos/enthusiasts/sema-2024-flexing-muscle-on-the-floor/ar-AA1uciUt
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/autos/news/does-the-start-stop-function-really-improve-your-car-s-fuel-eco
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/entertainment/news/fans-choose-jin-s-happy-as-this-week-s-favorite-new-mus
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/feed
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddrink/recipes/20-quick-and-easy-dinners-made-in-a-13-9-pan/ss-AA1tX
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddrink/recipes/60-appetizer-recipes-that-ll-get-the-party-started-th
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddrink/recipes/meatloaf-gourmet-style/ar-BB1qWDmx
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/medical/12-strange-facts-about-redheads-you-never-knew/ar-BB1labs7
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/medical/researchers-study-life-after-death-and-it-gets-weirder/ar-A
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/nutrition/the-ina-garten-cookie-recipe-i-can-t-stop-making/ar-AA1ue
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/other/13-best-ballet-flats-with-arch-support-so-you-can-get-in-on-t
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/other/these-korean-skin-care-brands-will-give-you-glass-skin/ss-BB1
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/off-grid-homeowners-spark-inspiration-with-images
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/pets/the-dog-breed-that-lives-the-longest-based-on-data-and-see-
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/shopping/10-fashion-gifts-you-won-t-believe-are-from-walmart-all
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/6-cool-cars-the-middle-class-can-afford-according-to
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/warren-buffett-10-things-poor-people-waste-money-on/
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/movies/news/25-stunning-comebacks-roles-that-resurrected-hollywood-careers
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/movies/news/5-new-to-paramount-plus-movies-with-90-or-higher-on-rotten-tom
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/movies/news/judy-garland-s-daughter-lorna-luft-praises-wicked-as-astoundin
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/music/news/katy-perry-announces-the-u-k-leg-of-lifetimes-tour/ar-AA1uiJlK
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/music/news/learn-10-funk-guitar-riffs-inspired-by-james-brown-prince-and-v
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/music/news/what-de-la-soul-s-big-mistake-cost-hip-hop/ar-AA1uiaQK
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/biden-in-the-background-at-g20-summit-as-leaders-brace-for-s
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/messy-fight-for-trump-s-treasury-chief-spills-into-public/ar
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/trump-s-treasury-pick-could-give-an-indication-of-what-he-pl
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/union-bosses-say-democrats-need-to-overhaul-their-vision-to-
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/historians-thought-this-was-a-medieval-site-linked-to-king
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/aclu-files-lawsuit-seeking-details-on-trump-s-plan-for-mass-deport
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/meet-the-newest-dog-breed-recognized-by-the-american-kennel-club-a
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/should-women-be-allowed-to-fight-on-the-front-lines-trump-s-defens
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/brazil-hosts-g20-with-wars-and-trump-s-return-in-the-background
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/china-unveils-swarm-carrier-drone-with-payload-comparable-to-fi
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/nfl/lions-news-hc-dan-campbell-makes-something-clear-about-jared-go
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/nfl/nfl-week-12-power-rankings-steelers-eagles-bills-climb-as-raven
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/nfl/ravens-justin-tucker-blames-acrisure-stadium-for-terrible-outin
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/nfl/travis-kelce-and-chiefs-lose-first-game-of-the-season-as-patric
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/forecast/in-New-York?loc=eyJsIjoiTmV3IFlvcmsiLCJyIjoiTmV3IFlvcmsiL
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nature.com/articles/s41598-017-16118-6
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.niche.com/about/methodology/best-places-to-live/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.niche.com/places-to-live/search/best-places-to-live/?type=city&type=suburb&type=town
      Source: explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.northaustinfeet.com/bio/anne-sharkey.cfm
      Source: explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nycprivatemedical.com/the-doctor
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.omdbapi.com/
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.prevention.com/beauty/style/g45626343/best-jeans-for-women-over-50/
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.prevention.com/health/health-conditions/g36385300/plantar-fasciitis-stretches/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.veranda.com/decorating-ideas/advice-from-designers/a62830063/warm-and-cool-colors/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.veranda.com/decorating-ideas/g62259813/cottage-kitchen-ideas/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.veranda.com/decorating-ideas/house-tours/a61682769/timothy-corrigan-french-chateau/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.veranda.com/home-decorators/a30145134/micky-hurley-paris-apartment/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.veranda.com/home-decorators/a31046866/decorating-with-antiques/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.veranda.com/home-decorators/design-trends/g46584591/antique-trends-2024/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.veranda.com/house-tours/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.veranda.com/outdoor-garden/a39580257/zoe-de-givenchy-french-countryside-manor-house/
      Source: explorer.exe, 0000000F.00000003.121558903253.0000000008E3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.121564536705.0000000008E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.veranda.com/outdoor-garden/g1134/beautiful-french-gardens/
      Source: explorer.exe, 00000007.00000003.121360530258.0000000009966000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.121435752847.0000000009998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.visitmusiccity.com/accolades-honors

      System Summary

      barindex
      .NET source code contains very large array initializations
      Source: Zoom.exe, RulesSingletonConnector.csLarge array initialization: PopStub: array initializer size 297280
      Source: Zoom.exe.0.dr, RulesSingletonConnector.csLarge array initialization: PopStub: array initializer size 297280
      Source: C:\Users\user\Desktop\Zoom.exeProcess Stats: CPU usage > 6%
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA42584_2_00BA4258
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA14E04_2_00BA14E0
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA14D04_2_00BA14D0
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA1AA84_2_00BA1AA8
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA1AF24_2_00BA1AF2
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA1AA84_2_00BA1AA8
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA1B924_2_00BA1B92
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA3BEF4_2_00BA3BEF
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA1B334_2_00BA1B33
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA1B1E4_2_00BA1B1E
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA1B074_2_00BA1B07
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA1B7A4_2_00BA1B7A
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA1B624_2_00BA1B62
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA1B4A4_2_00BA1B4A
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA3CA24_2_00BA3CA2
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA2F254_2_00BA2F25
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 5_2_010A41D15_2_010A41D1
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 5_2_010A42585_2_010A4258
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 5_2_010A14D05_2_010A14D0
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 5_2_010A14E05_2_010A14E0
      Source: Zoom.exe, 00000000.00000000.120971649532.0000000000F1A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNeqpcwp.exe" vs Zoom.exe
      Source: Zoom.exe, 00000004.00000002.121253915610.0000000004E40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameZapjprdi.dll" vs Zoom.exe
      Source: Zoom.exe, 00000004.00000002.121251262532.0000000003915000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZapjprdi.dll" vs Zoom.exe
      Source: Zoom.exe, 00000004.00000002.121246518203.000000000096E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Zoom.exe
      Source: Zoom.exe, 00000004.00000002.121248277834.0000000002851000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZapjprdi.dll" vs Zoom.exe
      Source: Zoom.exe, 00000005.00000002.121327157686.0000000000B90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Zoom.exe
      Source: Zoom.exe, 00000005.00000002.121335318122.0000000003CD4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZapjprdi.dll" vs Zoom.exe
      Source: Zoom.exeBinary or memory string: OriginalFilenameNeqpcwp.exe" vs Zoom.exe
      Source: Zoom.exe.0.drBinary or memory string: OriginalFilenameNeqpcwp.exe" vs Zoom.exe
      Source: Zoom.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: Zoom.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: Zoom.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: Zoom.exe, WatcherCodeInstance.csCryptographic APIs: 'CreateDecryptor'
      Source: Zoom.exe, WatcherCodeInstance.csCryptographic APIs: 'CreateDecryptor'
      Source: Zoom.exe, RulesSingletonConnector.csCryptographic APIs: 'CreateDecryptor'
      Source: Zoom.exe.0.dr, WatcherCodeInstance.csCryptographic APIs: 'CreateDecryptor'
      Source: Zoom.exe.0.dr, WatcherCodeInstance.csCryptographic APIs: 'CreateDecryptor'
      Source: Zoom.exe.0.dr, RulesSingletonConnector.csCryptographic APIs: 'CreateDecryptor'
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@39/70@0/14
      Source: C:\Users\user\Desktop\Zoom.exeFile created: C:\Users\user\AppData\Roaming\Zoom.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeMutant created: NULL
      Source: C:\Users\user\Desktop\Zoom.exeMutant created: \Sessions\1\BaseNamedObjects\c133332651f9
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5708:304:WilStaging_02
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5708:120:WilError_03
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sacdv3l2.3dm.ps1Jump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\explorer.exe
      Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\explorer.exe
      Source: Zoom.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: Zoom.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
      Source: C:\Users\user\Desktop\Zoom.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Users\user\Desktop\Zoom.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process WHERE Name = 'firefox.exe'
      Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Zoom.exeReversingLabs: Detection: 44%
      Source: C:\Users\user\Desktop\Zoom.exeFile read: C:\Users\user\Desktop\Zoom.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Zoom.exe "C:\Users\user\Desktop\Zoom.exe"
      Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String'
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Zoom.exe "C:\Users\user\AppData\Roaming\Zoom.exe"
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Zoom.exe "C:\Users\user\AppData\Roaming\Zoom.exe"
      Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
      Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2220,i,9109457994456723034,8271552518861750300,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2224 /prefetch:3
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String'Jump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2220,i,9109457994456723034,8271552518861750300,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2224 /prefetch:3
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: starttiledata.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: idstore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.applicationmodel.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wlidprov.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryclient.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: settingsynccore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: appextension.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: devobj.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dcomp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: d3d11.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dxcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: d2d1.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dwrite.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dataexchange.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: tiledatarepository.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: staterepository.core.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.staterepository.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorycore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: mrmcorer.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.ui.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windowmanagementapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: inputhost.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: languageoverlayutil.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wincorlib.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cdp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dsreg.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: thumbcache.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.immersiveshell.serviceprovider.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: msctfmonitor.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: msutb.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: inputswitch.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dui70.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: duser.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cldapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: fltlib.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: pcshellcommonproxystub.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: notificationcontrollerps.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cryptngc.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: uianimation.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cflapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: shellcommoncommonproxystub.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: d3d10warp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: photometadatahandler.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ntshrui.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: linkinfo.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: samlib.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: provsvc.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ehstorshell.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cscui.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: stobject.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wmiclnt.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: batmeter.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: vaultcli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: onedrivesettingsyncprovider.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.ui.shell.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: es.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: prnfldr.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: atlthunk.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dxp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: shdocvw.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: actioncenter.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wevtapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: syncreg.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.networking.connectivity.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: npmproxy.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dusmapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wpdshserviceobj.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: portabledevicetypes.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: portabledeviceapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: audioses.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: settingmonitor.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wpnclient.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: pnidui.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: mobilenetworking.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: netprofm.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: networkuxbroker.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cscobj.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ethernetmediamanager.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wlanapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: srchadmin.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.search.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: synccenter.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: imapi2.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ncsi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wscinterop.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wscapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: werconcpl.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wer.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: hcproviders.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ieproxy.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: storageusage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: fhcfg.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: efsutil.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dsrole.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.internal.system.userprofile.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cloudexperiencehostbroker.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: credui.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wdscore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dbgcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.web.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: aepic.dll
      Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
      Source: C:\Windows\explorer.exeSection loaded: userenv.dll
      Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
      Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
      Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
      Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\explorer.exeSection loaded: propsys.dll
      Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
      Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
      Source: C:\Windows\explorer.exeSection loaded: wininet.dll
      Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
      Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
      Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
      Source: C:\Windows\explorer.exeSection loaded: wldp.dll
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
      Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
      Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
      Source: C:\Windows\explorer.exeSection loaded: netutils.dll
      Source: C:\Windows\explorer.exeSection loaded: edgegdi.dll
      Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
      Source: C:\Windows\explorer.exeSection loaded: ninput.dll
      Source: C:\Windows\explorer.exeSection loaded: appresolver.dll
      Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\explorer.exeSection loaded: slc.dll
      Source: C:\Windows\explorer.exeSection loaded: sppc.dll
      Source: C:\Windows\explorer.exeSection loaded: profapi.dll
      Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\explorer.exeSection loaded: starttiledata.dll
      Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dll
      Source: C:\Windows\explorer.exeSection loaded: idstore.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.applicationmodel.dll
      Source: C:\Windows\explorer.exeSection loaded: wlidprov.dll
      Source: C:\Windows\explorer.exeSection loaded: samcli.dll
      Source: C:\Windows\explorer.exeSection loaded: appxdeploymentclient.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.dll
      Source: C:\Windows\explorer.exeSection loaded: policymanager.dll
      Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\explorer.exeSection loaded: appextension.dll
      Source: C:\Windows\explorer.exeSection loaded: settingsynccore.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dll
      Source: C:\Windows\explorer.exeSection loaded: winsta.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryclient.dll
      Source: C:\Windows\explorer.exeSection loaded: wintypes.dll
      Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dll
      Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dll
      Source: C:\Windows\explorer.exeSection loaded: devobj.dll
      Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\explorer.exeSection loaded: oleacc.dll
      Source: C:\Windows\explorer.exeSection loaded: textshaping.dll
      Source: C:\Windows\explorer.exeSection loaded: windowscodecs.dll
      Source: C:\Windows\explorer.exeSection loaded: dcomp.dll
      Source: C:\Windows\explorer.exeSection loaded: d3d11.dll
      Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dll
      Source: C:\Windows\explorer.exeSection loaded: ncrypt.dll
      Source: C:\Windows\explorer.exeSection loaded: ntasn1.dll
      Source: C:\Windows\explorer.exeSection loaded: dxcore.dll
      Source: C:\Windows\explorer.exeSection loaded: d2d1.dll
      Source: C:\Windows\explorer.exeSection loaded: dwrite.dll
      Source: C:\Windows\explorer.exeSection loaded: xmllite.dll
      Source: C:\Windows\explorer.exeSection loaded: dataexchange.dll
      Source: C:\Windows\explorer.exeSection loaded: apphelp.dll
      Source: C:\Windows\explorer.exeSection loaded: tiledatarepository.dll
      Source: C:\Windows\explorer.exeSection loaded: staterepository.core.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.staterepository.dll
      Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorycore.dll
      Source: C:\Windows\explorer.exeSection loaded: mrmcorer.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.ui.dll
      Source: C:\Windows\explorer.exeSection loaded: windowmanagementapi.dll
      Source: C:\Windows\explorer.exeSection loaded: textinputframework.dll
      Source: C:\Windows\explorer.exeSection loaded: inputhost.dll
      Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dll
      Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dll
      Source: C:\Windows\explorer.exeSection loaded: languageoverlayutil.dll
      Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dll
      Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dll
      Source: C:\Windows\explorer.exeSection loaded: wincorlib.dll
      Source: C:\Windows\explorer.exeSection loaded: cdp.dll
      Source: C:\Windows\explorer.exeSection loaded: dsreg.dll
      Source: C:\Windows\explorer.exeSection loaded: thumbcache.dll
      Source: C:\Windows\explorer.exeSection loaded: edputil.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.immersiveshell.serviceprovider.dll
      Source: C:\Windows\explorer.exeSection loaded: msctfmonitor.dll
      Source: C:\Windows\explorer.exeSection loaded: msutb.dll
      Source: C:\Windows\explorer.exeSection loaded: inputswitch.dll
      Source: C:\Windows\explorer.exeSection loaded: dui70.dll
      Source: C:\Windows\explorer.exeSection loaded: duser.dll
      Source: C:\Windows\explorer.exeSection loaded: cldapi.dll
      Source: C:\Windows\explorer.exeSection loaded: fltlib.dll
      Source: C:\Windows\explorer.exeSection loaded: uianimation.dll
      Source: C:\Windows\explorer.exeSection loaded: d3d10warp.dll
      Source: C:\Windows\explorer.exeSection loaded: pcshellcommonproxystub.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dll
      Source: C:\Windows\explorer.exeSection loaded: cryptngc.dll
      Source: C:\Windows\explorer.exeSection loaded: cflapi.dll
      Source: C:\Windows\explorer.exeSection loaded: notificationcontrollerps.dll
      Source: C:\Windows\explorer.exeSection loaded: rmclient.dll
      Source: C:\Windows\explorer.exeSection loaded: shellcommoncommonproxystub.dll
      Source: C:\Windows\explorer.exeSection loaded: photometadatahandler.dll
      Source: C:\Windows\explorer.exeSection loaded: ntshrui.dll
      Source: C:\Windows\explorer.exeSection loaded: cscapi.dll
      Source: C:\Windows\explorer.exeSection loaded: linkinfo.dll
      Source: C:\Windows\explorer.exeSection loaded: secur32.dll
      Source: C:\Windows\explorer.exeSection loaded: samlib.dll
      Source: C:\Windows\explorer.exeSection loaded: version.dll
      Source: C:\Windows\explorer.exeSection loaded: cryptbase.dll
      Source: C:\Windows\explorer.exeSection loaded: wkscli.dll
      Source: C:\Windows\explorer.exeSection loaded: provsvc.dll
      Source: C:\Windows\explorer.exeSection loaded: ehstorshell.dll
      Source: C:\Windows\explorer.exeSection loaded: cscui.dll
      Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dll
      Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dll
      Source: C:\Windows\explorer.exeSection loaded: msvcp140.dll
      Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dll
      Source: C:\Windows\explorer.exeSection loaded: stobject.dll
      Source: C:\Windows\explorer.exeSection loaded: wmiclnt.dll
      Source: C:\Windows\explorer.exeSection loaded: batmeter.dll
      Source: C:\Windows\explorer.exeSection loaded: vaultcli.dll
      Source: C:\Windows\explorer.exeSection loaded: sxs.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.ui.shell.dll
      Source: C:\Windows\explorer.exeSection loaded: onedrivesettingsyncprovider.dll
      Source: C:\Windows\explorer.exeSection loaded: prnfldr.dll
      Source: C:\Windows\explorer.exeSection loaded: actxprxy.dll
      Source: C:\Windows\explorer.exeSection loaded: es.dll
      Source: C:\Windows\explorer.exeSection loaded: rsaenh.dll
      Source: C:\Windows\explorer.exeSection loaded: dxp.dll
      Source: C:\Windows\explorer.exeSection loaded: shdocvw.dll
      Source: C:\Windows\explorer.exeSection loaded: atlthunk.dll
      Source: C:\Windows\explorer.exeSection loaded: actioncenter.dll
      Source: C:\Windows\explorer.exeSection loaded: wevtapi.dll
      Source: C:\Windows\explorer.exeSection loaded: syncreg.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.fileexplorer.common.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.networking.connectivity.dll
      Source: C:\Windows\explorer.exeSection loaded: npmproxy.dll
      Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\explorer.exeSection loaded: dusmapi.dll
      Source: C:\Windows\explorer.exeSection loaded: wpdshserviceobj.dll
      Source: C:\Windows\explorer.exeSection loaded: portabledevicetypes.dll
      Source: C:\Windows\explorer.exeSection loaded: portabledeviceapi.dll
      Source: C:\Windows\explorer.exeSection loaded: settingmonitor.dll
      Source: C:\Windows\explorer.exeSection loaded: msasn1.dll
      Source: C:\Windows\explorer.exeSection loaded: wpnclient.dll
      Source: C:\Windows\explorer.exeSection loaded: cscobj.dll
      Source: C:\Windows\explorer.exeSection loaded: audioses.dll
      Source: C:\Windows\explorer.exeSection loaded: srchadmin.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.search.dll
      Source: C:\Windows\explorer.exeSection loaded: synccenter.dll
      Source: C:\Windows\explorer.exeSection loaded: imapi2.dll
      Source: C:\Windows\explorer.exeSection loaded: pnidui.dll
      Source: C:\Windows\explorer.exeSection loaded: mobilenetworking.dll
      Source: C:\Windows\explorer.exeSection loaded: netprofm.dll
      Source: C:\Windows\explorer.exeSection loaded: networkuxbroker.dll
      Source: C:\Windows\explorer.exeSection loaded: ethernetmediamanager.dll
      Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
      Source: C:\Windows\explorer.exeSection loaded: wlanapi.dll
      Source: C:\Windows\explorer.exeSection loaded: ncsi.dll
      Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\explorer.exeSection loaded: storageusage.dll
      Source: C:\Windows\explorer.exeSection loaded: wer.dll
      Source: C:\Windows\explorer.exeSection loaded: wscinterop.dll
      Source: C:\Windows\explorer.exeSection loaded: wscapi.dll
      Source: C:\Windows\explorer.exeSection loaded: fhcfg.dll
      Source: C:\Windows\explorer.exeSection loaded: efsutil.dll
      Source: C:\Windows\explorer.exeSection loaded: mpr.dll
      Source: C:\Windows\explorer.exeSection loaded: netapi32.dll
      Source: C:\Windows\explorer.exeSection loaded: dsrole.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.internal.system.userprofile.dll
      Source: C:\Windows\explorer.exeSection loaded: cloudexperiencehostbroker.dll
      Source: C:\Windows\explorer.exeSection loaded: credui.dll
      Source: C:\Windows\explorer.exeSection loaded: wdscore.dll
      Source: C:\Windows\explorer.exeSection loaded: dbghelp.dll
      Source: C:\Windows\explorer.exeSection loaded: dbgcore.dll
      Source: C:\Windows\explorer.exeSection loaded: werconcpl.dll
      Source: C:\Windows\explorer.exeSection loaded: framedynos.dll
      Source: C:\Windows\explorer.exeSection loaded: hcproviders.dll
      Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dll
      Source: C:\Windows\explorer.exeSection loaded: ieproxy.dll
      Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dll
      Source: C:\Windows\explorer.exeSection loaded: windows.web.dll
      Source: C:\Windows\explorer.exeSection loaded: settingsync.dll
      Source: C:\Windows\explorer.exeSection loaded: smartscreenps.dll
      Source: C:\Windows\explorer.exeSection loaded: pcacli.dll
      Source: C:\Windows\explorer.exeSection loaded: sfc_os.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: edgegdi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
      Source: C:\Users\user\Desktop\Zoom.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: Zoom.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: Zoom.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

      Data Obfuscation

      barindex
      .NET source code contains method to dynamically call methods (often used by packers)
      Source: Zoom.exe, WatcherCodeInstance.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
      Source: Zoom.exe.0.dr, WatcherCodeInstance.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
      .NET source code contains potential unpacker
      Source: Zoom.exe, Consumer.cs.Net Code: ForgotTokenizer System.Reflection.Assembly.Load(byte[])
      Source: Zoom.exe.0.dr, Consumer.cs.Net Code: ForgotTokenizer System.Reflection.Assembly.Load(byte[])
      Suspicious powershell command line found
      Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String'
      Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String'Jump to behavior
      Source: Zoom.exeStatic PE information: 0xACB26237 [Mon Oct 24 09:28:23 2061 UTC]
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04922CA9 push 04B807D4h; retf 2_2_04922CAE
      Source: C:\Users\user\AppData\Roaming\Zoom.exeCode function: 4_2_00BA1F90 push 8BD88B72h; retf 4_2_00BA1F96
      Source: Zoom.exeStatic PE information: section name: .text entropy: 7.8678306288821815
      Source: Zoom.exe.0.drStatic PE information: section name: .text entropy: 7.8678306288821815
      Source: C:\Users\user\Desktop\Zoom.exeFile created: C:\Users\user\AppData\Roaming\Zoom.exeJump to dropped file

      Boot Survival

      barindex
      Monitors registry run keys for changes
      Source: C:\Windows\explorer.exeRegistry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunJump to behavior
      Source: C:\Windows\explorer.exeRegistry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZoomJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZoomJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\D1B229C21A0A68AF7DA7312615A134A4 57cea44528b4a4ada7e68dbaaab9333cJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Queries memory information (via WMI often done to detect virtual machines)
      Source: C:\Users\user\Desktop\Zoom.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
      Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
      Source: C:\Users\user\Desktop\Zoom.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
      Source: C:\Users\user\Desktop\Zoom.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
      Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
      Source: C:\Users\user\Desktop\Zoom.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
      Source: C:\Users\user\Desktop\Zoom.exeMemory allocated: 16F0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeMemory allocated: 33B0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeMemory allocated: 53B0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeMemory allocated: BA0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeMemory allocated: 2850000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeMemory allocated: 2760000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeMemory allocated: 1060000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeMemory allocated: 2B10000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeMemory allocated: 29C0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeWindow / User API: threadDelayed 9957Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9875Jump to behavior
      Source: C:\Users\user\Desktop\Zoom.exe TID: 4392Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6040Thread sleep count: 9875 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3500Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exe TID: 2856Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exe TID: 192Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 6912Thread sleep time: -30000s >= -30000s
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
      Source: C:\Users\user\Desktop\Zoom.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Users\user\Desktop\Zoom.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeMemory allocated: page read and write | page guardJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Zoom' -Value '"C:\Users\user\AppData\Roaming\Zoom.exe"' -PropertyType 'String'Jump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" remove-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'zoom';new-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'zoom' -value '"c:\users\user\appdata\roaming\zoom.exe"' -propertytype 'string'
      Source: C:\Users\user\Desktop\Zoom.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" remove-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'zoom';new-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'zoom' -value '"c:\users\user\appdata\roaming\zoom.exe"' -propertytype 'string'Jump to behavior
      Source: explorer.exe, 00000007.00000002.121432659149.00000000011B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progmanng
      Source: C:\Users\user\Desktop\Zoom.exeQueries volume information: C:\Users\user\Desktop\Zoom.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeQueries volume information: C:\Users\user\AppData\Roaming\Zoom.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeQueries volume information: C:\Users\user\AppData\Roaming\Zoom.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\Zoom.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Users\user\Desktop\Zoom.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\Desktop\Zoom.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

      Stealing of Sensitive Information

      barindex
      Found many strings related to Crypto-Wallets (likely being stolen)
      Source: Zoom.exe, 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
      Source: Zoom.exe, 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty@fihkakfobkmkjojpchpfgcmhfjnmnfpi
      Source: Zoom.exe, 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus Web3@jiidiaalihmmhddjgbnbgdfflelocpak
      Source: Zoom.exe, 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
      Source: powershell.exe, 00000002.00000002.120992516238.0000000007D30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
      Tries to harvest and steal Bitcoin Wallet information
      Source: C:\Users\user\Desktop\Zoom.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
      Source: Yara matchFile source: 00000004.00000002.121248277834.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Zoom.exe PID: 1260, type: MEMORYSTR

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts321
      Windows Management Instrumentation      		1
      Registry Run Keys / Startup Folder      		12
      Process Injection      		1
      Masquerading      		OS Credential Dumping1
      Query Registry      		Remote Services11
      Archive Collected Data      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Command and Scripting Interpreter      		1
      DLL Side-Loading      		1
      Registry Run Keys / Startup Folder      		1
      Modify Registry      		LSASS Memory53
      Security Software Discovery      		Remote Desktop Protocol1
      Data from Local System      		Junk DataExfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      PowerShell      		Logon Script (Windows)1
      DLL Side-Loading      		1
      Disable or Modify Tools      		Security Account Manager2
      Process Discovery      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook351
      Virtualization/Sandbox Evasion      		NTDS351
      Virtualization/Sandbox Evasion      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
      Process Injection      		LSA Secrets1
      Application Window Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      Deobfuscate/Decode Files or Information      		Cached Domain Credentials1
      File and Directory Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
      Obfuscated Files or Information      		DCSync223
      System Information Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job22
      Software Packing      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
      Timestomp      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
      DLL Side-Loading      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1557990 Sample: Zoom.exe Startdate: 18/11/2024 Architecture: WINDOWS Score: 100 54 Antivirus / Scanner detection for submitted sample 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Sigma detected: Set autostart key via New-ItemProperty Cmdlet 2->58 60 4 other signatures 2->60 8 Zoom.exe 4 3 2->8         started        13 Zoom.exe 3 2->13         started        15 svchost.exe 2->15         started        17 Zoom.exe 2 2->17         started        process3 dnsIp4 38 72.21.81.240 EDGECASTUS United States 8->38 40 172.81.130.139 DATAWAGONUS United States 8->40 34 C:\Users\user\AppData\Roaming\Zoom.exe, PE32 8->34 dropped 66 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 8->66 68 Suspicious powershell command line found 8->68 70 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->70 80 3 other signatures 8->80 19 explorer.exe 8->19         started        22 powershell.exe 1 11 8->22         started        24 explorer.exe 1 106 8->24         started        36 C:\Users\user\AppData\Local\...\Zoom.exe.log, ASCII 13->36 dropped 72 Antivirus detection for dropped file 13->72 74 Multi AV Scanner detection for dropped file 13->74 76 Machine Learning detection for dropped file 13->76 78 Found many strings related to Crypto-Wallets (likely being stolen) 13->78 42 127.0.0.1 unknown unknown 15->42 file5 signatures6 process7 signatures8 62 Monitors registry run keys for changes 19->62 26 chrome.exe 19->26         started        64 Found many strings related to Crypto-Wallets (likely being stolen) 22->64 29 conhost.exe 22->29         started        process9 dnsIp10 44 192.168.11.20 unknown unknown 26->44 46 239.255.255.250 unknown Reserved 26->46 31 chrome.exe 26->31         started        process11 dnsIp12 48 9.9.9.9 QUAD9-AS-1US United States 31->48 50 142.250.176.195 GOOGLEUS United States 31->50 52 7 other IPs or domains 31->52

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.