Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bdc2be5bddda548dec3c2d88464a698627ac9447aae621d8.ps1

Overview

General Information

Sample name:bdc2be5bddda548dec3c2d88464a698627ac9447aae621d8.ps1
Analysis ID:1631707
MD5:28ecc48c849e683d111d79bc789a7ea3
SHA1:696edd9951a3aa7ebef7b5ea534ae2fac79f8242
SHA256:0fefa7625ea4fa4bb9ac95563ace22036b5d022b9530a0b2ca2ecde920630bdc
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected MSILLoadEncryptedAssembly
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Browser Started with Remote Debugging
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 8044 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\bdc2be5bddda548dec3c2d88464a698627ac9447aae621d8.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3104 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • chrome.exe (PID: 2340 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9222 MD5: E81F54E6C1129887AEA47E7D092680BF)
        • chrome.exe (PID: 5880 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2360,i,12572725249836980227,2714334880502120775,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2536 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
        • chrome.exe (PID: 564 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2360,i,12572725249836980227,2714334880502120775,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5240 /prefetch:8 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • notepad.exe (PID: 6356 cmdline: "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\bdc2be5bddda548dec3c2d88464a698627ac9447aae621d8.ps1" MD5: 27F71B12CB585541885A31BE22F61C83)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["neurozovery.life", "explorebieology.run", "moderzysics.top", "seedsxouts.shop", "codxefusion.top", "farfinable.top", "techspherxe.top"], "Build id": "jMw1IE--SHELLS"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2029749606.000000000726C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      0000000A.00000002.2577756288.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
        Process Memory Space: powershell.exe PID: 8044JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          Process Memory Space: powershell.exe PID: 8044JoeSecurity_MSIL_Load_Encrypted_AssemblyYara detected MSIL_Load_Encrypted_AssemblyJoe Security
            Process Memory Space: powershell.exe PID: 3104JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              10.2.powershell.exe.400000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                10.2.powershell.exe.400000.0.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                  0.2.powershell.exe.72b8eb8.1.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    0.2.powershell.exe.72b8eb8.1.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

                      Sigma Signatures

                      Sigma detected: Browser Started with Remote Debugging
                      Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9222, CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9222, CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3104, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9222, ProcessId: 2340, ProcessName: chrome.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\bdc2be5bddda548dec3c2d88464a698627ac9447aae621d8.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\bdc2be5bddda548dec3c2d88464a698627ac9447aae621d8.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3676, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\bdc2be5bddda548dec3c2d88464a698627ac9447aae621d8.ps1", ProcessId: 8044, ProcessName: powershell.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\bdc2be5bddda548dec3c2d88464a698627ac9447aae621d8.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\bdc2be5bddda548dec3c2d88464a698627ac9447aae621d8.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3676, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\bdc2be5bddda548dec3c2d88464a698627ac9447aae621d8.ps1", ProcessId: 8044, ProcessName: powershell.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-07T14:45:51.470588+010020283713Unknown Traffic192.168.2.549691172.67.187.236443TCP
                      2025-03-07T14:45:54.853676+010020283713Unknown Traffic192.168.2.549692172.67.187.236443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-07T14:45:52.434123+010020546531A Network Trojan was detected192.168.2.549691172.67.187.236443TCP
                      2025-03-07T14:46:15.224089+010020546531A Network Trojan was detected192.168.2.549692172.67.187.236443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-07T14:45:52.434123+010020498361A Network Trojan was detected192.168.2.549691172.67.187.236443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-07T14:45:51.470588+010020606581Domain Observed Used for C2 Detected192.168.2.549691172.67.187.236443TCP
                      2025-03-07T14:45:54.853676+010020606581Domain Observed Used for C2 Detected192.168.2.549692172.67.187.236443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-07T14:45:48.320116+010020606571Domain Observed Used for C2 Detected192.168.2.5525081.1.1.153UDP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-07T14:45:48.308500+010020605361Domain Observed Used for C2 Detected192.168.2.5546531.1.1.153UDP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: farfinable.topAvira URL Cloud: Label: malware
                      Found malware configuration
                      Source: 10.2.powershell.exe.400000.0.raw.unpackMalware Configuration Extractor: LummaC {"C2 url": ["neurozovery.life", "explorebieology.run", "moderzysics.top", "seedsxouts.shop", "codxefusion.top", "farfinable.top", "techspherxe.top"], "Build id": "jMw1IE--SHELLS"}
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.6% probability
                      Sample uses string decryption to hide its real strings
                      Source: 10.2.powershell.exe.400000.0.raw.unpackString decryptor: neurozovery.life
                      Source: 10.2.powershell.exe.400000.0.raw.unpackString decryptor: explorebieology.run
                      Source: 10.2.powershell.exe.400000.0.raw.unpackString decryptor: moderzysics.top
                      Source: 10.2.powershell.exe.400000.0.raw.unpackString decryptor: seedsxouts.shop
                      Source: 10.2.powershell.exe.400000.0.raw.unpackString decryptor: codxefusion.top
                      Source: 10.2.powershell.exe.400000.0.raw.unpackString decryptor: farfinable.top
                      Source: 10.2.powershell.exe.400000.0.raw.unpackString decryptor: techspherxe.top
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00420C69 CryptUnprotectData,10_2_00420C69
                      Source: unknownHTTPS traffic detected: 150.171.27.254:443 -> 192.168.2.5:49689 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49690 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.187.236:443 -> 192.168.2.5:49691 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.187.236:443 -> 192.168.2.5:49692 version: TLS 1.2
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: powershell.exe, 00000000.00000002.2052853370.0000000007830000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: powershell.exe, 00000000.00000002.2052853370.0000000007830000.00000004.08000000.00040000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+04h]10_2_0041B970
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 8D94E5DFh10_2_0041B970
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+04h]10_2_0041B970
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+04h]10_2_0041B970
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ebp, byte ptr [esp+ecx+04h]10_2_0041B970
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ebp, byte ptr [esp+ecx+04h]10_2_0041B970
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h10_2_0041B970
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then push 00000000h10_2_004131C4
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx]10_2_0044FB60
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+000001DCh]10_2_0040D3D0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov dword ptr [edx], 33B23534h10_2_0040F3D5
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 656D2358h10_2_0041E55A
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax+10h]10_2_0041EE60
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then inc ebx10_2_00401040
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-20D732AAh]10_2_0040E82F
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov byte ptr [edi], cl10_2_004388C8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov byte ptr [edi], cl10_2_004388C8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov byte ptr [edi], cl10_2_004388C8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]10_2_0041B8B0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov dword ptr [edx], 33B23534h10_2_0040F102
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov word ptr [eax], cx10_2_0042E1CB
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov byte ptr [eax], bl10_2_004121CE
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov byte ptr [edi], bl10_2_004121CE
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov byte ptr [edi], bl10_2_004121CE
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov dword ptr [ebp-2Ch], edi10_2_004329EB
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov byte ptr [edi], al10_2_00438A67
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]10_2_0040A200
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]10_2_0040A200
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov byte ptr [edi], bl10_2_00413A11
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 720EEED4h10_2_0044AA30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 9F1F8F53h10_2_0044AA30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov byte ptr [edi], al10_2_00438A3D
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov byte ptr [edx], cl10_2_00439AE0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov byte ptr [edi], al10_2_00438AE6
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]10_2_00436360
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then cmp word ptr [ebp+esi+02h], 0000h10_2_00429310
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+45F273A8h]10_2_00432320
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+2B3BD692h]10_2_00432320
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov word ptr [eax], cx10_2_00433324
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h10_2_004143E3
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov byte ptr [ecx], al10_2_00424389
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov byte ptr [ebx], al10_2_00424389
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+10h]10_2_00447450
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx+10h]10_2_00447450
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx+04h]10_2_00447450
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then push 00000000h10_2_0040DC5F
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-20D732AAh]10_2_0040E46F
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ecx, byte ptr [ebp+eax+2B3BD67Ah]10_2_00431C00
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ecx, byte ptr [ebp+eax+2B3BD67Ah]10_2_00431C00
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-2FFBA47Ah]10_2_00434580
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov word ptr [eax], dx10_2_0041D235
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov word ptr [eax], dx10_2_0041DD1B
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx]10_2_00424D1D
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx edi, byte ptr [esp+edx]10_2_00424D34
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx edi, byte ptr [edx+ecx-471C1166h]10_2_0041CD3C
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx edx, byte ptr [ebx+ecx-000000FEh]10_2_0041CD3C
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ecx, byte ptr [edi+eax-000000B8h]10_2_0043A5E0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h10_2_0042ADF0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-2FFBA47Ah]10_2_00434580
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov byte ptr [ebx], cl10_2_004235A2
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx]10_2_00427610
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+0Ch]10_2_00421EF0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], CA198B66h10_2_00421EF0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+2Ch]10_2_00421EF0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 6D58C181h10_2_00421EF0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax+2B3BD69Ah]10_2_00412EF8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+400B2B8Ah]10_2_00423E8E
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov byte ptr [edi], cl10_2_00437EA6
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov byte ptr [eax], cl10_2_004236B9
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ebx, byte ptr [edx]10_2_00442F40
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp dword ptr [004556B0h]10_2_0041DF76
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov word ptr [ecx], dx10_2_0044F720
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-00000098h]10_2_0042A7D0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+44h]10_2_004327D0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov word ptr [ebp+00h], cx10_2_00434786
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then mov byte ptr [edi], cl10_2_00413F8C
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then movzx eax, byte ptr [edi+ecx-3Ch]10_2_00413F8C

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2060657 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (agroecologyguide .digital) : 192.168.2.5:52508 -> 1.1.1.1:53
                      Source: Network trafficSuricata IDS: 2060536 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (explorebieology .run) : 192.168.2.5:54653 -> 1.1.1.1:53
                      Source: Network trafficSuricata IDS: 2060658 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (agroecologyguide .digital) in TLS SNI : 192.168.2.5:49691 -> 172.67.187.236:443
                      Source: Network trafficSuricata IDS: 2060658 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (agroecologyguide .digital) in TLS SNI : 192.168.2.5:49692 -> 172.67.187.236:443
                      Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49691 -> 172.67.187.236:443
                      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49692 -> 172.67.187.236:443
                      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49691 -> 172.67.187.236:443
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: neurozovery.life
                      Source: Malware configuration extractorURLs: explorebieology.run
                      Source: Malware configuration extractorURLs: moderzysics.top
                      Source: Malware configuration extractorURLs: seedsxouts.shop
                      Source: Malware configuration extractorURLs: codxefusion.top
                      Source: Malware configuration extractorURLs: farfinable.top
                      Source: Malware configuration extractorURLs: techspherxe.top
                      Source: global trafficTCP traffic: 192.168.2.5:61955 -> 1.1.1.1:53
                      Source: global trafficHTTP traffic detected: GET /bdc2be5bddda548dec3c2d88464a698627ac9447aae621d8.wks HTTP/1.1Host: u1.wildnessreflected.shopConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                      Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49691 -> 172.67.187.236:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49692 -> 172.67.187.236:443
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
                      Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
                      Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
                      Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
                      Source: unknownTCP traffic detected without corresponding DNS query: 150.171.27.254
                      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /bdc2be5bddda548dec3c2d88464a698627ac9447aae621d8.wks HTTP/1.1Host: u1.wildnessreflected.shopConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiJo8sBCIWgzQEI9s/OAQiB1s4BCNLgzgEIr+TOAQji5M4BCIvlzgE=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                      Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                      Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiJo8sBCIWgzQEI9s/OAQiB1s4BCNLgzgEIr+TOAQji5M4BCIvlzgE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                      Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                      Source: global trafficHTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.uiLLJjqnhCQ.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo8NP2y291iiPDmfAN0GV3dvCuqlYA/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiJo8sBCIWgzQE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
                      Source: chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
                      Source: chrome.exe, 0000000B.00000003.2345807706.0000604401604000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3||(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
                      Source: chrome.exe, 0000000B.00000003.2345807706.0000604401604000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3||(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
                      Source: chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
                      Source: chrome.exe, 0000000B.00000002.2608508522.00006044012BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2607053580.0000604400F18000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
                      Source: chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
                      Source: chrome.exe, 0000000B.00000002.2607140232.0000604400F80000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2608508522.00006044012BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
                      Source: chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
                      Source: chrome.exe, 0000000B.00000002.2608508522.00006044012BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/feature=ytca equals www.youtube.com (Youtube)
                      Source: chrome.exe, 0000000B.00000002.2607943301.00006044010E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2602519571.000060440055C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2608379950.0000604401260000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
                      Source: chrome.exe, 0000000B.00000002.2608508522.00006044012BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: www.youtube.com:443 equals www.youtube.com (Youtube)
                      Source: global trafficDNS traffic detected: DNS query: u1.wildnessreflected.shop
                      Source: global trafficDNS traffic detected: DNS query: neurozovery.life
                      Source: global trafficDNS traffic detected: DNS query: explorebieology.run
                      Source: global trafficDNS traffic detected: DNS query: agroecologyguide.digital
                      Source: global trafficDNS traffic detected: DNS query: www.google.com
                      Source: global trafficDNS traffic detected: DNS query: apis.google.com
                      Source: global trafficDNS traffic detected: DNS query: play.google.com
                      Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: agroecologyguide.digital
                      Source: powershell.exe, 00000000.00000002.2052137007.00000000077B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: powershell.exe, 00000000.00000002.2052137007.00000000077B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crt0
                      Source: powershell.exe, 00000000.00000002.2052137007.00000000077B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
                      Source: powershell.exe, 00000000.00000002.2052137007.00000000077B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: powershell.exe, 00000000.00000002.2052137007.00000000077B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: chrome.exe, 0000000B.00000002.2601321617.000060440020C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://clients2.google.com/time/1/current
                      Source: chrome.exe, 0000000B.00000002.2604213637.0000604400864000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
                      Source: powershell.exe, 00000000.00000002.2028733167.00000000033AC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2053622633.0000000007B03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                      Source: powershell.exe, 00000000.00000002.2052137007.00000000077B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: powershell.exe, 00000000.00000002.2052137007.00000000077B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0N
                      Source: powershell.exe, 00000000.00000002.2052137007.00000000077B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
                      Source: powershell.exe, 00000000.00000002.2052137007.00000000077B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: powershell.exe, 00000000.00000002.2052137007.00000000077B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: powershell.exe, 00000000.00000002.2052137007.00000000077B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0=
                      Source: chrome.exe, 0000000B.00000002.2599641255.0000604400096000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://google.com/
                      Source: powershell.exe, 00000000.00000002.2052137007.00000000077B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: powershell.exe, 00000000.00000002.2052137007.00000000077B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                      Source: powershell.exe, 00000000.00000002.2052137007.00000000077B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                      Source: powershell.exe, 00000000.00000002.2052137007.00000000077B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0W
                      Source: powershell.exe, 00000000.00000002.2052137007.00000000077B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                      Source: chrome.exe, 0000000B.00000002.2612389942.0000604401C04000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://r1---sn-hp57knd6.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT
                      Source: chrome.exe, 0000000B.00000002.2609719214.0000604401404000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
                      Source: powershell.exe, 00000000.00000002.2029749606.0000000005561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: chrome.exe, 0000000B.00000002.2606007147.0000604400DB8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://unisolated.invalid/
                      Source: powershell.exe, 00000000.00000002.2052137007.00000000077B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                      Source: chrome.exe, 0000000B.00000002.2606055931.0000604400DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.gstatic.com/generate_204
                      Source: chrome.exe, 0000000B.00000002.2581370623.000001BE3CCD2000.00000002.00000001.00040000.00000011.sdmpString found in binary or memory: http://www.unicode.org/copyright.html
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://a-mo.net
                      Source: chrome.exe, 0000000B.00000002.2605950066.0000604400D94000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accountcapabilities-pa.googleapis.com/
                      Source: chrome.exe, 0000000B.00000002.2599393914.0000604400030000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
                      Source: chrome.exe, 0000000B.00000002.2611674236.0000604401928000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2603453614.0000604400730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com
                      Source: chrome.exe, 0000000B.00000002.2601321617.000060440020C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2611674236.0000604401928000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/AccountChooser
                      Source: chrome.exe, 0000000B.00000002.2601321617.000060440020C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/AddSession
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
                      Source: chrome.exe, 0000000B.00000003.2345298835.0000604401114000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo?source=ChromiumBrowser
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
                      Source: chrome.exe, 0000000B.00000002.2601321617.000060440020C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/Logout
                      Source: chrome.exe, 0000000B.00000002.2601321617.000060440020C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/RotateBoundCookies
                      Source: chrome.exe, 0000000B.00000002.2601321617.000060440020C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/chrome/blank.html
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/windows
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
                      Source: chrome.exe, 0000000B.00000002.2599705933.00006044000B1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
                      Source: chrome.exe, 0000000B.00000002.2601321617.000060440020C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/o/oauth2/revoke
                      Source: chrome.exe, 0000000B.00000002.2601321617.000060440020C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/oauth/multilogin
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/samlredirect
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
                      Source: chrome.exe, 0000000B.00000002.2603453614.0000604400730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com:443
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ad-stir.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://adroll.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://adscale.de
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://adsmeasurement.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://adswizz.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://adtrafficquality.google
                      Source: powershell.exe, 00000000.00000002.2029749606.0000000005561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://akpytela.cz
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://alketech.eu
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://amazon-adsystem.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://aniview.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://apex-football.com
                      Source: chrome.exe, 0000000B.00000003.2497521541.0000604401F94000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497603415.0000604401F60000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497341864.0000604401F58000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497427640.00006044015C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2613030239.0000604401F68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497008406.0000604401ED4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
                      Source: chrome.exe, 0000000B.00000002.2607700275.0000604401050000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2599555394.000060440005C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2596013104.000001BE445D7000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.uiLLJjqnhCQ.O/m=gapi_iframes
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://appconsent.io
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://aqfer.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://atomex.net
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://audience360.com.au
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://audienceproject.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://authorizedvault.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://beaconmax.com
                      Source: chrome.exe, 0000000B.00000002.2604645262.000060440095C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bluems.com
                      Source: chrome.exe, 0000000B.00000003.2385107262.0000604400594000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2385044582.00006044015A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2385085401.0000604401604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2383934310.0000604401624000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com
                      Source: chrome.exe, 0000000B.00000002.2605751397.0000604400CAC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2610426702.0000604401508000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2605133958.0000604400B30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cazamba.com
                      Source: chrome.exe, 0000000B.00000002.2605950066.0000604400D94000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: chrome.exe, 0000000B.00000002.2605950066.0000604400D94000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: chrome.exe, 0000000B.00000002.2605950066.0000604400D94000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: chrome.exe, 0000000B.00000003.2385187056.0000604401414000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2604213637.0000604400864000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2604576648.000060440091C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2604615887.0000604400930000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore
                      Source: chrome.exe, 0000000B.00000002.2601653191.0000604400334000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore/category/collection/chrome_color_themes?hl=$
                      Source: chrome.exe, 0000000B.00000002.2591360366.000001BE3EF50000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://chrome.google.com/webstore/category/extensions
                      Source: chrome.exe, 0000000B.00000002.2611288390.000060440186C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2606055931.0000604400DE0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2605283266.0000604400B98000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2606526530.0000604400E2C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                      Source: chrome.exe, 0000000B.00000002.2591360366.000001BE3EF50000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
                      Source: chrome.exe, 0000000B.00000002.2591360366.000001BE3EF50000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
                      Source: chrome.exe, 0000000B.00000003.2385152329.0000604401204000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2385187056.0000604401414000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstoreLDDiscover
                      Source: chrome.exe, 0000000B.00000002.2591360366.000001BE3EF50000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
                      Source: chrome.exe, 0000000B.00000002.2591360366.000001BE3EF50000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
                      Source: chrome.exe, 0000000B.00000002.2591360366.000001BE3EF50000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
                      Source: chrome.exe, 0000000B.00000002.2591360366.000001BE3EF50000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
                      Source: chrome.exe, 0000000B.00000002.2591360366.000001BE3EF50000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
                      Source: chrome.exe, 0000000B.00000002.2591360366.000001BE3EF50000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
                      Source: chrome.exe, 0000000B.00000003.2385338031.0000604401AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymity-pa.googleapis.com/
                      Source: chrome.exe, 0000000B.00000003.2385338031.0000604401A88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2384921390.0000604000630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
                      Source: chrome.exe, 0000000B.00000003.2385338031.0000604401AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymity-pa.googleapis.com/KAnonymityServiceAuthServer
                      Source: chrome.exe, 0000000B.00000003.2385338031.0000604401AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
                      Source: chrome.exe, 0000000B.00000003.2385338031.0000604401A88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2384921390.0000604000630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
                      Source: chrome.exe, 0000000B.00000003.2326287248.00006040004CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2385338031.0000604401AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
                      Source: chrome.exe, 0000000B.00000003.2385338031.0000604401A88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2384921390.0000604000630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
                      Source: chrome.exe, 0000000B.00000002.2603728769.0000604400790000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromemodelexecution-pa.googleapis.com/v1:Execute?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
                      Source: chrome.exe, 0000000B.00000002.2603728769.0000604400790000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromemodelquality-pa.googleapis.com/v1:LogAiData?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
                      Source: chrome.exe, 0000000B.00000002.2591360366.000001BE3EF50000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
                      Source: chrome.exe, 0000000B.00000002.2600647335.0000604400190000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromewebstore.google.com/
                      Source: chrome.exe, 0000000B.00000002.2604792459.00006044009D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromewebstore.google.com/category/extensions
                      Source: chrome.exe, 0000000B.00000002.2604792459.00006044009D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chromewebstore.google.com/category/themes
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://classroom.googleapis.com/
                      Source: chrome.exe, 0000000B.00000002.2604792459.00006044009D9000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.goog
                      Source: chrome.exe, 0000000B.00000002.2598069885.00002A38000DC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/report
                      Source: chrome.exe, 0000000B.00000002.2607994370.0000604401114000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2600647335.0000604400190000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2385062141.0000604401110000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497692870.0000604401110000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2604213637.0000604400864000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2345298835.0000604401114000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2603453614.0000604400730000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2604615887.0000604400930000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx
                      Source: chrome.exe, 0000000B.00000002.2604093808.0000604400804000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
                      Source: chrome.exe, 0000000B.00000002.2604093808.0000604400804000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
                      Source: chrome.exe, 0000000B.00000002.2604093808.0000604400804000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients4.google.com/chrome-sync
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients4.google.com/chrome-sync/event
                      Source: chrome.exe, 0000000B.00000002.2604213637.0000604400864000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://connatix.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://convertunits.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://coupang.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cpx.to
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://creative-serving.com
                      Source: chrome.exe, 0000000B.00000002.2602103440.000060440046C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dailymail.co.uk
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dailymotion.com
                      Source: chrome.exe, 0000000B.00000002.2603453614.0000604400730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/
                      Source: chrome.exe, 0000000B.00000002.2608508522.00006044012BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2606526530.0000604400E2C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/
                      Source: chrome.exe, 0000000B.00000002.2605893628.0000604400D4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2601941389.0000604400404000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/:
                      Source: chrome.exe, 0000000B.00000002.2606007147.0000604400DB8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2606055931.0000604400DE0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2601941389.0000604400404000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
                      Source: chrome.exe, 0000000B.00000002.2605893628.0000604400D4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2601941389.0000604400404000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/J
                      Source: chrome.exe, 0000000B.00000003.2385338031.0000604401AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview
                      Source: chrome.exe, 0000000B.00000003.2385338031.0000604401A88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2384921390.0000604000630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
                      Source: chrome.exe, 0000000B.00000002.2607943301.00006044010E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2605893628.0000604400D4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2608379950.0000604401260000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2601941389.0000604400404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2611385761.00006044018BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
                      Source: chrome.exe, 0000000B.00000002.2607943301.00006044010E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_defaultult
                      Source: chrome.exe, 0000000B.00000002.2608379950.0000604401260000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_defaultultJp
                      Source: chrome.exe, 0000000B.00000002.2605751397.0000604400CAC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2610426702.0000604401508000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2605133958.0000604400B30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
                      Source: chrome.exe, 0000000B.00000002.2605751397.0000604400CAC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2610426702.0000604401508000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2605133958.0000604400B30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
                      Source: chrome.exe, 0000000B.00000002.2606007147.0000604400DB8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2608508522.00006044012BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/
                      Source: chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2601941389.0000604400404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2607917002.00006044010D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/:
                      Source: chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2608379950.0000604401260000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2601941389.0000604400404000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
                      Source: chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2601941389.0000604400404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2607917002.00006044010D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/J
                      Source: chrome.exe, 0000000B.00000002.2607943301.00006044010E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2608379950.0000604401260000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2601941389.0000604400404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2607917002.00006044010D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2611385761.00006044018BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
                      Source: chrome.exe, 0000000B.00000002.2605751397.0000604400CAC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2610426702.0000604401508000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2605133958.0000604400B30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
                      Source: chrome.exe, 0000000B.00000002.2610426702.0000604401508000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions7
                      Source: chrome.exe, 0000000B.00000002.2608508522.00006044012BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2607053580.0000604400F18000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/
                      Source: chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/:
                      Source: chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2345246716.000060440103D000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2608379950.0000604401260000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2607641143.000060440103D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
                      Source: chrome.exe, 0000000B.00000003.2345246716.000060440103D000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2607641143.000060440103D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webappsageHandler
                      Source: chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/J
                      Source: chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2608379950.0000604401260000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2611385761.00006044018BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
                      Source: chrome.exe, 0000000B.00000002.2605751397.0000604400CAC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2610426702.0000604401508000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2605133958.0000604400B30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://doubleverify.com
                      Source: chrome.exe, 0000000B.00000002.2603453614.0000604400730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-4.corp.google.com/
                      Source: chrome.exe, 0000000B.00000002.2603453614.0000604400730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-5.corp.google.com/
                      Source: chrome.exe, 0000000B.00000002.2603453614.0000604400730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-6.corp.google.com/
                      Source: chrome.exe, 0000000B.00000002.2603453614.0000604400730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive-preprod.corp.google.com/
                      Source: chrome.exe, 0000000B.00000002.2603453614.0000604400730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive-staging.corp.google.com/
                      Source: chrome.exe, 0000000B.00000002.2607994370.0000604401114000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2608508522.00006044012BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2385062141.0000604401110000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497692870.0000604401110000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2345298835.0000604401114000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2603453614.0000604400730000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
                      Source: chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/:
                      Source: chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2608508522.00006044012BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2608535142.00006044012E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?lfhs=2
                      Source: chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/J
                      Source: chrome.exe, 0000000B.00000002.2607943301.00006044010E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2606007147.0000604400DB8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2608379950.0000604401260000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2611385761.00006044018BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
                      Source: chrome.exe, 0000000B.00000002.2607943301.00006044010E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default-
                      Source: chrome.exe, 0000000B.00000002.2608508522.00006044012BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/lfhs=2
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ebis.ne.jp
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://elnacional.cat
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://eloan.co.jp
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://explorefledge.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://fandom.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://finn.no
                      Source: chrome.exe, 0000000B.00000003.2384322753.0000604401720000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2384630614.0000604401748000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2384588190.00006044016CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://fonts.google.com/icons?selected=Material
                      Source: chrome.exe, 0000000B.00000002.2605950066.0000604400D94000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                      Source: chrome.exe, 0000000B.00000003.2385338031.0000604401AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/glic
                      Source: chrome.exe, 0000000B.00000003.2385338031.0000604401AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/glic/intro?
                      Source: chrome.exe, 0000000B.00000003.2385338031.0000604401A88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2384921390.0000604000630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/glic/intro?20
                      Source: chrome.exe, 0000000B.00000003.2385338031.0000604401A88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2384921390.0000604000630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/glic2
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://getcapi.co
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://globo.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gokwik.co
                      Source: chrome.exe, 0000000B.00000003.2326333401.00006040004D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
                      Source: chrome.exe, 0000000B.00000003.2385338031.0000604401A88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2384921390.0000604000630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
                      Source: chrome.exe, 0000000B.00000003.2326287248.00006040004CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/
                      Source: chrome.exe, 0000000B.00000003.2326287248.00006040004CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2385338031.0000604401AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
                      Source: chrome.exe, 0000000B.00000003.2385338031.0000604401A88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2384921390.0000604000630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
                      Source: chrome.exe, 0000000B.00000003.2326287248.00006040004CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
                      Source: chrome.exe, 0000000B.00000003.2326287248.00006040004CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Pre
                      Source: chrome.exe, 0000000B.00000003.2326287248.00006040004CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
                      Source: chrome.exe, 0000000B.00000002.2599326084.0000604400004000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2599555394.000060440005C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google.com/
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://googlesyndication.com
                      Source: chrome.exe, 0000000B.00000002.2604478637.00006044008F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://googleusercontent.com/
                      Source: chrome.exe, 0000000B.00000003.2385338031.0000604401AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goto.google.com/sme-bugs
                      Source: chrome.exe, 0000000B.00000003.2385338031.0000604401A88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2385256791.0000604401CD8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2384921390.0000604000630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goto.google.com/sme-bugs2e
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gunosy.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://halcy.de
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://iobeya.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://jkforum.net
                      Source: chrome.exe, 0000000B.00000002.2605893628.0000604400D4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2605283266.0000604400B98000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2610968444.00006044017CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
                      Source: chrome.exe, 0000000B.00000003.2497427640.00006044015C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497008406.0000604401ED4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search?source=ntp
                      Source: chrome.exe, 0000000B.00000003.2385107262.0000604400594000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2383934310.0000604401624000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://lens.google.com/gen204
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://linkedin.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://logly.co.jp
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://lwadm.com
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://m.google.com/devicemanagement/data/api
                      Source: chrome.exe, 0000000B.00000002.2606653716.0000604400E6C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2608508522.00006044012BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2608197077.00006044011C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/
                      Source: chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/:
                      Source: chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/J
                      Source: chrome.exe, 0000000B.00000002.2608379950.0000604401260000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2611385761.00006044018BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/download?usp=chrome_default
                      Source: chrome.exe, 0000000B.00000002.2607943301.00006044010E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/download?usp=chrome_default_defaultult
                      Source: chrome.exe, 0000000B.00000002.2606007147.0000604400DB8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2608508522.00006044012BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/
                      Source: chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/:
                      Source: chrome.exe, 0000000B.00000003.2497427640.00006044015C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497008406.0000604401ED4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=rm&amp;ogbl
                      Source: chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2607053580.0000604400F18000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
                      Source: chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/J
                      Source: chrome.exe, 0000000B.00000002.2608508522.00006044012BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/ebapp
                      Source: chrome.exe, 0000000B.00000002.2607943301.00006044010E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2607053580.0000604400F18000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2608379950.0000604401260000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2601941389.0000604400404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2611385761.00006044018BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
                      Source: chrome.exe, 0000000B.00000002.2611385761.00006044018BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_defaultdefault
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://metro.co.uk
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://momento.dev
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://moshimo.com
                      Source: chrome.exe, 0000000B.00000002.2605065323.0000604400AA8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2610968444.00006044017CC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
                      Source: chrome.exe, 0000000B.00000002.2605751397.0000604400CAC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2607053580.0000604400F18000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2604905014.0000604400A04000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
                      Source: chrome.exe, 0000000B.00000002.2605751397.0000604400CAC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2607053580.0000604400F18000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2604905014.0000604400A04000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
                      Source: chrome.exe, 0000000B.00000002.2607053580.0000604400F18000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhoneer
                      Source: chrome.exe, 0000000B.00000003.2326568256.0000604000540000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome
                      Source: chrome.exe, 0000000B.00000003.2385338031.0000604401A88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2384921390.0000604000630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
                      Source: chrome.exe, 0000000B.00000002.2605751397.0000604400CAC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2608071109.0000604401154000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2604905014.0000604400A04000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
                      Source: chrome.exe, 0000000B.00000002.2605578293.0000604400C3C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2384492399.0000604401214000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2591360366.000001BE3EF50000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://myactivity.google.com/
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nexxen.tech
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://oauthaccountmanager.googleapis.com/
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
                      Source: chrome.exe, 0000000B.00000003.2497521541.0000604401F94000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497603415.0000604401F60000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497341864.0000604401F58000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497427640.00006044015C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2613030239.0000604401F68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497008406.0000604401ED4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ogads-pa.googleapis.com
                      Source: chrome.exe, 0000000B.00000002.2596013104.000001BE445DD000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://ogs.google.com
                      Source: chrome.exe, 0000000B.00000003.2497521541.0000604401F94000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497603415.0000604401F60000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497341864.0000604401F58000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497427640.00006044015C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2613030239.0000604401F68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497008406.0000604401ED4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
                      Source: chrome.exe, 0000000B.00000003.2497521541.0000604401F94000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497603415.0000604401F60000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497341864.0000604401F58000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497427640.00006044015C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2613030239.0000604401F68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497008406.0000604401ED4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ogs.google.com/widget/callout?eom=1
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://onet.pl
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://open-bid.com
                      Source: chrome.exe, 0000000B.00000002.2609830790.000060440143D000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2609867532.0000604401448000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
                      Source: chrome.exe, 0000000B.00000002.2611408699.00006044018CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2610744244.0000604401660000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2605578293.0000604400C3C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2611994239.00006044019C9000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2610148163.0000604401487000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2610320385.00006044014D4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2609498605.00006044013BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
                      Source: chrome.exe, 0000000B.00000003.2345550521.0000604401430000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2609830790.000060440143D000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2609888216.0000604401454000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2609867532.0000604401448000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
                      Source: chrome.exe, 0000000B.00000002.2594414125.000001BE3FFD7000.00000004.10000000.00040000.00000000.sdmp, chrome.exe, 0000000B.00000002.2610148163.0000604401487000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2610320385.00006044014D4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2609498605.00006044013BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
                      Source: chrome.exe, 0000000B.00000003.2345550521.0000604401430000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2609830790.000060440143D000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2609888216.0000604401454000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2609867532.0000604401448000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
                      Source: chrome.exe, 0000000B.00000002.2600792447.00006044001B0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2609830790.000060440143D000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2609867532.0000604401448000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
                      Source: chrome.exe, 0000000B.00000002.2609830790.000060440143D000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2609867532.0000604401448000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
                      Source: chrome.exe, 0000000B.00000002.2611408699.00006044018CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2611994239.00006044019C9000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1696267841&target=OPTIMIZATION_TARGET_OMN
                      Source: chrome.exe, 0000000B.00000002.2611872048.0000604401974000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2611994239.00006044019C9000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2594414125.000001BE3FFD7000.00000004.10000000.00040000.00000000.sdmp, chrome.exe, 0000000B.00000002.2612413365.0000604401C48000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1728324084&target=OPTIMIZATION_TARGET_OMN
                      Source: chrome.exe, 0000000B.00000002.2611872048.0000604401974000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2610513953.000060440153C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2611994239.00006044019C9000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2610148163.0000604401487000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1739808228&target=OPTIMIZATION_TARGET_GEO
                      Source: chrome.exe, 0000000B.00000003.2497692870.0000604401110000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2610513953.000060440153C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2611994239.00006044019C9000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2610148163.0000604401487000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1739808249&target=OPTIMIZATION_TARGET_NOT
                      Source: chrome.exe, 0000000B.00000002.2611408699.00006044018CC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2611994239.00006044019C9000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1739894676&target=OPTIMIZATION_TARGET_CLI
                      Source: chrome.exe, 0000000B.00000003.2345550521.0000604401430000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2609830790.000060440143D000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2609888216.0000604401454000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2609867532.0000604401448000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2609498605.00006044013BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
                      Source: chrome.exe, 0000000B.00000002.2611872048.0000604401974000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2611994239.00006044019C9000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=240731042075&target=OPTIMIZATION_TARGET_S
                      Source: chrome.exe, 0000000B.00000002.2599613211.0000604400088000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=5&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
                      Source: chrome.exe, 0000000B.00000002.2612028026.00006044019D4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2608221187.00006044011D8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetModels?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE
                      Source: chrome.exe, 0000000B.00000003.2385107262.0000604400594000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2385085401.0000604401604000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2383934310.0000604401624000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/calendar/
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://paa-reporting-advertising.amazon
                      Source: chrome.exe, 0000000B.00000002.2591360366.000001BE3EF50000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://passwords.google.comSaved
                      Source: chrome.exe, 0000000B.00000002.2604645262.000060440095C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://passwords.google/
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://people.googleapis.com/
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://permutive.app
                      Source: chrome.exe, 0000000B.00000002.2610513953.000060440153C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2611206007.0000604401834000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2609636954.00006044013F8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pmdragonfly.com
                      Source: chrome.exe, 0000000B.00000002.2605578293.0000604400C3C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2384492399.0000604401214000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2591360366.000001BE3EF50000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://policies.google.com/
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://postrelease.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://presage.io
                      Source: chrome.exe, 0000000B.00000002.2603988266.00006044007D8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
                      Source: chrome.exe, 0000000B.00000002.2603988266.00006044007D8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://quora.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://r2b2.io
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://retargetly.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rubiconproject.com
                      Source: chrome.exe, 0000000B.00000002.2604615887.0000604400930000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://samplicio.us
                      Source: chrome.exe, 0000000B.00000002.2604615887.0000604400930000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2599705933.00006044000A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyA2KlwBX3mkFo30om9LU
                      Source: chrome.exe, 0000000B.00000002.2606055931.0000604400DE0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://seedtag.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://semafor.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sephora.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://shared-storage-demo-publisher-b.web.app
                      Source: chrome.exe, 0000000B.00000003.2385338031.0000604401AE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://shieldedids-pa.googleapis.com
                      Source: chrome.exe, 0000000B.00000003.2385338031.0000604401A88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2384921390.0000604000630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://shieldedids-pa.googleapis.comb
                      Source: chrome.exe, 0000000B.00000002.2605893628.0000604400D4C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2605283266.0000604400B98000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2610883355.00006044017A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sitescout.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://snapchat.com
                      Source: chrome.exe, 0000000B.00000003.2497427640.00006044015C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497008406.0000604401ED4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://storygize.net
                      Source: chrome.exe, 0000000B.00000002.2591360366.000001BE3EF50000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://support.google.com/chrome/a/?p=browser_profile_details
                      Source: chrome.exe, 0000000B.00000002.2591360366.000001BE3EF50000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6098869
                      Source: chrome.exe, 0000000B.00000002.2591360366.000001BE3EF50000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://support.google.com/chrome/answer/96817
                      Source: chrome.exe, 0000000B.00000002.2602968760.0000604400604000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome?p=desktop_tab_groups
                      Source: chrome.exe, 0000000B.00000002.2591360366.000001BE3EF50000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://support.google.com/chromebook?p=app_intent
                      Source: chrome.exe, 0000000B.00000002.2606055931.0000604400DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://t0.gstatic.com/faviconV2
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tailtarget.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tangooserver.com
                      Source: chrome.exe, 0000000B.00000002.2601354431.0000604400234000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tasks.googleapis.com/
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tiktok.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://torneos.gg
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://trip.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://trkkn.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tya-dev.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://undertone.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://unrulymedia.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://usemax.de
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://verve.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://vidazoo.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://weborama.fr
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://worldhistory.org
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://wp.pl
                      Source: chrome.exe, 0000000B.00000002.2605950066.0000604400D94000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                      Source: chrome.exe, 0000000B.00000002.2610799337.00006044016BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2610682140.00006044015DC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2604645262.000060440095C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2604615887.0000604400930000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2604539244.0000604400910000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
                      Source: chrome.exe, 0000000B.00000002.2610883355.00006044017A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
                      Source: chrome.exe, 0000000B.00000002.2610883355.00006044017A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/async/newtab_promos
                      Source: chrome.exe, 0000000B.00000002.2604645262.000060440095C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/#safe
                      Source: chrome.exe, 0000000B.00000002.2604792459.00006044009D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/browser-features/
                      Source: chrome.exe, 0000000B.00000002.2604792459.00006044009D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/browser-tools/
                      Source: chrome.exe, 0000000B.00000003.2384921390.0000604000630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
                      Source: chrome.exe, 0000000B.00000002.2591360366.000001BE3EF50000.00000002.00000001.00040000.00000015.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
                      Source: chrome.exe, 0000000B.00000002.2607140232.0000604400F80000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2605283266.0000604400B98000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2605779115.0000604400CCC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/tips/
                      Source: chrome.exe, 0000000B.00000002.2605950066.0000604400D94000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2604093808.0000604400804000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2601941389.0000604400404000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2602968760.0000604400604000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                      Source: chrome.exe, 0000000B.00000003.2497427640.00006044015C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497008406.0000604401ED4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&amp;tab=ri&amp;ogbl
                      Source: chrome.exe, 0000000B.00000003.2497008406.0000604401ED4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
                      Source: chrome.exe, 0000000B.00000003.2384921390.0000604000630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search
                      Source: chrome.exe, 0000000B.00000002.2602075112.0000604400450000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
                      Source: chrome.exe, 0000000B.00000002.2601321617.000060440020C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/
                      Source: chrome.exe, 0000000B.00000003.2385338031.0000604401AE0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2326568256.0000604000540000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
                      Source: chrome.exe, 0000000B.00000003.2385338031.0000604401A88000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2384921390.0000604000630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
                      Source: chrome.exe, 0000000B.00000003.2326568256.0000604000540000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/shieldedids.managerForcedOn_PlusAddressAndroidOpenGmsCoreManagementP
                      Source: chrome.exe, 0000000B.00000002.2601321617.000060440020C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
                      Source: chrome.exe, 0000000B.00000002.2601321617.000060440020C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
                      Source: chrome.exe, 0000000B.00000002.2601321617.000060440020C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v4/token
                      Source: chrome.exe, 0000000B.00000002.2601321617.000060440020C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
                      Source: chrome.exe, 0000000B.00000002.2604093808.0000604400804000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2610513953.000060440153C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
                      Source: chrome.exe, 0000000B.00000003.2497388269.0000604401FB8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
                      Source: chrome.exe, 0000000B.00000003.2497581687.00006044019DC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2612939709.0000604401EC4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2402441048.0000604401CE8000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497008406.0000604401ED4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497407597.0000604401FC0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497388269.0000604401FB8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
                      Source: chrome.exe, 0000000B.00000002.2607917002.00006044010D0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497008406.0000604401ED4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.WcyoQrvsWY0.2019.O/rt=j/m=q_dnp
                      Source: chrome.exe, 0000000B.00000003.2497521541.0000604401F94000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497603415.0000604401F60000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497341864.0000604401F58000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497427640.00006044015C0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2613030239.0000604401F68000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2497008406.0000604401ED4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.L8bgMGq1rcI.L.W.O/m=qmd
                      Source: chrome.exe, 0000000B.00000002.2608508522.00006044012BC000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2607053580.0000604400F18000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
                      Source: chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/:
                      Source: chrome.exe, 0000000B.00000002.2607140232.0000604400F80000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2608508522.00006044012BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?feature=ytca
                      Source: chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/J
                      Source: chrome.exe, 0000000B.00000002.2608508522.00006044012BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/feature=ytca
                      Source: chrome.exe, 0000000B.00000002.2607943301.00006044010E0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2604718264.00006044009A4000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2602519571.000060440055C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2608379950.0000604401260000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2384300047.0000604400550000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2611385761.00006044018BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://yieldlab.net
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://yieldmo.com
                      Source: chrome.exe, 0000000B.00000002.2606213729.0000604400E07000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://youronlinechoices.eu
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 61958 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 61965 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61965
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61960
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49675
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61958
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                      Source: unknownNetwork traffic detected: HTTP traffic on port 61960 -> 443
                      Source: unknownHTTPS traffic detected: 150.171.27.254:443 -> 192.168.2.5:49689 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49690 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.187.236:443 -> 192.168.2.5:49691 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.187.236:443 -> 192.168.2.5:49692 version: TLS 1.2
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00440EC0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,10_2_00440EC0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00440EC0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,10_2_00440EC0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0044128D GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,10_2_0044128D
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00423170 CreateDesktopW,10_2_00423170
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_07682FC0 NtResumeThread,0_2_07682FC0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_07682FB8 NtResumeThread,0_2_07682FB8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_076779E80_2_076779E8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_07677B590_2_07677B59
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0767C2400_2_0767C240
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0767C2330_2_0767C233
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0767EAC80_2_0767EAC8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0767EAB70_2_0767EAB7
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_076779D90_2_076779D9
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_078F6A9C0_2_078F6A9C
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0041B97010_2_0041B970
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0041F99C10_2_0041F99C
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004462F010_2_004462F0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00416A9810_2_00416A98
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040BAB010_2_0040BAB0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00411B4A10_2_00411B4A
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040F3D510_2_0040F3D5
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042638010_2_00426380
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00420C6910_2_00420C69
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0041E55A10_2_0041E55A
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0041EE6010_2_0041EE60
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00449F5010_2_00449F50
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040104010_2_00401040
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040F85010_2_0040F850
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0044481E10_2_0044481E
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0044D8C010_2_0044D8C0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004358B510_2_004358B5
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042E94010_2_0042E940
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0044794010_2_00447940
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042517010_2_00425170
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042197F10_2_0042197F
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0041490010_2_00414900
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042590010_2_00425900
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040F10210_2_0040F102
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0043A10710_2_0043A107
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042E1CB10_2_0042E1CB
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004121CE10_2_004121CE
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004349A310_2_004349A3
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0043E1AC10_2_0043E1AC
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004409B010_2_004409B0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0044D9B010_2_0044D9B0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00439A6810_2_00439A68
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040A20010_2_0040A200
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00413A1110_2_00413A11
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0044D21110_2_0044D211
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00408A3010_2_00408A30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0044AA3010_2_0044AA30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00402AC010_2_00402AC0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004112D010_2_004112D0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0044F2E010_2_0044F2E0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0043BAFF10_2_0043BAFF
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004182B010_2_004182B0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0044DB4010_2_0044DB40
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00432B5A10_2_00432B5A
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0044EB0010_2_0044EB00
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042931010_2_00429310
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0043232010_2_00432320
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0044DBD010_2_0044DBD0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00447BA010_2_00447BA0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00445BB010_2_00445BB0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0041DBB910_2_0041DBB9
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00440C4010_2_00440C40
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0044745010_2_00447450
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0044545010_2_00445450
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0044DC6010_2_0044DC60
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040AC0010_2_0040AC00
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00431C0010_2_00431C00
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0043458010_2_00434580
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040942010_2_00409420
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0043DC2310_2_0043DC23
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004034C010_2_004034C0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00433CF010_2_00433CF0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00427C8010_2_00427C80
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042EC9010_2_0042EC90
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004334BD10_2_004334BD
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040B55010_2_0040B550
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042556010_2_00425560
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042050610_2_00420506
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00407D2010_2_00407D20
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0041CD3C10_2_0041CD3C
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042ADF010_2_0042ADF0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0043458010_2_00434580
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040CD9010_2_0040CD90
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0044E5B010_2_0044E5B0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00417E4B10_2_00417E4B
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00403E6010_2_00403E60
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042166010_2_00421660
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0043AE6010_2_0043AE60
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00434E6510_2_00434E65
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004176DD10_2_004176DD
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00421EF010_2_00421EF0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00412EF810_2_00412EF8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0043FE8510_2_0043FE85
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042C69410_2_0042C694
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00408EA010_2_00408EA0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00429EA010_2_00429EA0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00437EA610_2_00437EA6
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004456B010_2_004456B0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0044EEB010_2_0044EEB0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00444EBA10_2_00444EBA
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040474210_2_00404742
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0041D74210_2_0041D742
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0041075110_2_00410751
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0040C72010_2_0040C720
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004397CF10_2_004397CF
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0042A7D010_2_0042A7D0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00425FE010_2_00425FE0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00445FE010_2_00445FE0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00446FE010_2_00446FE0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00447FF510_2_00447FF5
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00413F8C10_2_00413F8C
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0043F79B10_2_0043F79B
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004247A010_2_004247A0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: String function: 0040B220 appears 42 times
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: String function: 0041B960 appears 108 times
                      Source: 0.2.powershell.exe.7830000.3.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                      Source: 0.2.powershell.exe.7830000.3.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                      Source: 0.2.powershell.exe.7830000.3.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                      Source: 0.2.powershell.exe.7830000.3.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                      Source: 0.2.powershell.exe.7830000.3.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.powershell.exe.7830000.3.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                      Source: 0.2.powershell.exe.7830000.3.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.powershell.exe.7830000.3.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.powershell.exe.7830000.3.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                      Source: 0.2.powershell.exe.7830000.3.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winPS1@31/20@10/7
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004462F0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,10_2_004462F0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Wboznfrytj
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ce23hakt.mpt.ps1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                      Source: chrome.exe, 0000000B.00000002.2604718264.00006044009AD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
                      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\bdc2be5bddda548dec3c2d88464a698627ac9447aae621d8.ps1"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\bdc2be5bddda548dec3c2d88464a698627ac9447aae621d8.ps1"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9222
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2360,i,12572725249836980227,2714334880502120775,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2536 /prefetch:3
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2360,i,12572725249836980227,2714334880502120775,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5240 /prefetch:8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9222Jump to behavior
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2360,i,12572725249836980227,2714334880502120775,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2536 /prefetch:3Jump to behavior
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2360,i,12572725249836980227,2714334880502120775,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5240 /prefetch:8Jump to behavior
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: bdc2be5bddda548dec3c2d88464a698627ac9447aae621d8.ps1Static file information: File size 6298455 > 1048576
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: powershell.exe, 00000000.00000002.2052853370.0000000007830000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: powershell.exe, 00000000.00000002.2052853370.0000000007830000.00000004.08000000.00040000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: 0.2.powershell.exe.7830000.3.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.powershell.exe.7830000.3.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.powershell.exe.7830000.3.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                      Yara detected Costura Assembly Loader
                      Source: Yara matchFile source: 0.2.powershell.exe.72b8eb8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.powershell.exe.72b8eb8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2029749606.000000000726C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8044, type: MEMORYSTR
                      Yara detected MSILLoadEncryptedAssembly
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8044, type: MEMORYSTR
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_055462BB push ebx; retf 0_2_055462D2
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0554BD3D pushfd ; iretd 0_2_0554BD61
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0554BCD2 pushfd ; retf 0_2_0554BCE1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0554BCA2 pushad ; retf 0_2_0554BCD1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_0767E808 push esp; iretd 0_2_0767E815
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_078F3427 pushad ; iretd 0_2_078F3441
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_078F5083 push esp; iretd 0_2_078F5084
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_078F4B76 push edx; iretd 0_2_078F4B77
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_004524BD push ecx; iretd 10_2_004524BE
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00458687 push edi; retf 10_2_00458675
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6181Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3437Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7840Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2072Thread sleep time: -120000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_078F1680 GetSystemInfo,0_2_078F1680
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                      Source: chrome.exe, 0000000B.00000002.2610799337.00006044016BC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware
                      Source: chrome.exe, 0000000B.00000002.2594614547.000001BE432E9000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2594139614.000001BE3FE54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service
                      Source: powershell.exe, 0000000A.00000002.2580485402.0000000002D3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: chrome.exe, 0000000B.00000003.2376006009.000001BE433C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976H
                      Source: chrome.exe, 0000000B.00000002.2594139614.000001BE3FF1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration ServiceThw
                      Source: chrome.exe, 0000000B.00000002.2594139614.000001BE3FF1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor!n
                      Source: powershell.exe, 0000000A.00000002.2580485402.0000000002D0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0^
                      Source: chrome.exe, 0000000B.00000002.2594614547.000001BE432E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partition
                      Source: chrome.exe, 0000000B.00000002.2594139614.000001BE3FEDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisore
                      Source: chrome.exe, 0000000B.00000002.2594139614.000001BE3FE91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partition
                      Source: chrome.exe, 0000000B.00000002.2594614547.000001BE432E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
                      Source: chrome.exe, 0000000B.00000002.2594614547.000001BE432E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Hyper-V Hypervisor Root Virtual oc
                      Source: chrome.exe, 0000000B.00000002.2594614547.000001BE432E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V atemggfgfogmffu BusW
                      Source: chrome.exe, 0000000B.00000002.2594614547.000001BE432E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipes
                      Source: chrome.exe, 0000000B.00000002.2594139614.000001BE3FE91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor
                      Source: chrome.exe, 0000000B.00000002.2580931918.000001BE3C278000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllPPf
                      Source: chrome.exe, 0000000B.00000003.2375554974.000001BE433A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ond6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014M
                      Source: chrome.exe, 0000000B.00000002.2594139614.000001BE3FF1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processorsys
                      Source: chrome.exe, 0000000B.00000002.2594139614.000001BE3FF1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Virtual Processor
                      Source: chrome.exe, 0000000B.00000002.2608197077.00006044011C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware Virtual USB Mouse
                      Source: chrome.exe, 0000000B.00000003.2380331167.000001BE4593D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ons/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5068Address Space Switches/sec5070Address Domain Flushes/sec5072Address Space Flushes/sec5074Global GVA Range Flushes/sec5076Local Flushed GVA Ranges/sec5078Page Table Evictions/sec5080Page Table Reclamations/sec5082Page Table Resets/sec5084Page Table V
                      Source: chrome.exe, 0000000B.00000002.2594614547.000001BE432E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid Partition
                      Source: chrome.exe, 0000000B.00000003.2375447426.000001BE43381000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2375771374.000001BE433C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flus
                      Source: chrome.exe, 0000000B.00000002.2594614547.000001BE432E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor
                      Source: chrome.exe, 0000000B.00000002.2594614547.000001BE432E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partitionl
                      Source: chrome.exe, 0000000B.00000002.2594614547.000001BE432E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor
                      Source: chrome.exe, 0000000B.00000003.2380429008.000001BE43378000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 10Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Costmber
                      Source: chrome.exe, 0000000B.00000002.2594614547.000001BE432E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service|XW
                      Source: chrome.exe, 0000000B.00000002.2594139614.000001BE3FE91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor
                      Source: chrome.exe, 0000000B.00000002.2594139614.000001BE3FE91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partition
                      Source: chrome.exe, 0000000B.00000003.2329142701.0000604400320000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware20,1(
                      Source: chrome.exe, 0000000B.00000002.2594139614.000001BE3FF1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processor0.0
                      Source: chrome.exe, 0000000B.00000003.2375266571.000001BE4337C000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2375850858.000001BE4337C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference C
                      Source: chrome.exe, 0000000B.00000002.2594139614.000001BE3FE91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Virtual Machine Bus PipesV
                      Source: chrome.exe, 0000000B.00000002.2594614547.000001BE432E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V atemggfgfogmffu Bus Pipesd
                      Source: chrome.exe, 0000000B.00000003.2375511951.000001BE4337C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @@ >BrowserMetrics-67CAF8A9-924.pmaed Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference C
                      Source: powershell.exe, 00000000.00000002.2053622633.0000000007B9C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: chrome.exe, 0000000B.00000002.2594614547.000001BE432E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipesl
                      Source: chrome.exe, 0000000B.00000002.2594139614.000001BE3FE91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipes
                      Source: chrome.exe, 0000000B.00000002.2610229410.0000604401490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=a5e23315-7e5e-4318-9d1f-31a4a9b32627
                      Source: chrome.exe, 0000000B.00000002.2594139614.000001BE3FEDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisoresb
                      Source: chrome.exe, 0000000B.00000003.2379969476.000001BE43447000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTVMWare
                      Source: chrome.exe, 0000000B.00000003.2377054582.000001BE4341D000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2379270099.000001BE4341D000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2376963739.000001BE43405000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2379430000.000001BE4341D000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000B.00000003.2380579663.000001BE4341D000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000B.00000002.2594614547.000001BE4341D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: offers queue size9612Publication Cache: Published contents9614Local Cache: Average access time3432WSMan Quota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytes
                      Source: chrome.exe, 0000000B.00000002.2594614547.000001BE432E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor
                      Source: chrome.exe, 0000000B.00000002.2594139614.000001BE3FF1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Hyper-V VM Vid Partitionvity=mK
                      Source: chrome.exe, 0000000B.00000003.2375351273.000001BE4341D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e9606Retrieval: Average branch rate9608Discovery: Successful discoveries9610Hosted Cache: Segment offers queue size9612Publication Cache: Published contents9614Local Cache: Average access time3432WSMan Quota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytes
                      Source: chrome.exe, 0000000B.00000002.2594614547.000001BE432E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid PartitionDfz
                      Source: chrome.exe, 0000000B.00000002.2594139614.000001BE3FE91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Hypervisor Root PartitionM
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAPI call chain: ExitProcess graph end nodegraph_10-22123
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0044BF90 LdrInitializeThunk,10_2_0044BF90
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Injects a PE file into a foreign processes
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9222Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Desktop\bdc2be5bddda548dec3c2d88464a698627ac9447aae621d8.ps1 VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected LummaC Stealer
                      Source: Yara matchFile source: 10.2.powershell.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.powershell.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.2577756288.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3104, type: MEMORYSTR
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: powershell.exe, 0000000A.00000002.2580485402.0000000002D3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
                      Source: powershell.exe, 0000000A.00000002.2580485402.0000000002D3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                      Source: powershell.exe, 0000000A.00000002.2580485402.0000000002DC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxx Libertys;
                      Source: powershell.exe, 0000000A.00000002.2580485402.0000000002D3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                      Source: powershell.exe, 0000000A.00000002.2580485402.0000000002D3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                      Source: powershell.exe, 0000000A.00000002.2580485402.0000000002D3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
                      Source: powershell.exe, 0000000A.00000002.2580485402.0000000002D3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum
                      Source: powershell.exe, 0000000A.00000002.2580485402.0000000002D0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                      Source: powershell.exe, 00000000.00000002.2056425257.0000000007F20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3104, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Attempt to bypass Chrome Application-Bound Encryption
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9222
                      Yara detected LummaC Stealer
                      Source: Yara matchFile source: 10.2.powershell.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.powershell.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.2577756288.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3104, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                      Windows Management Instrumentation                      		1
                      Create Account                      		111
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		1
                      Security Software Discovery                      		Remote Services1
                      Screen Capture                      		21
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		21
                      Virtualization/Sandbox Evasion                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop Protocol1
                      Archive Collected Data                      		1
                      Remote Access Software                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		111
                      Process Injection                      		Security Account Manager21
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin Shares3
                      Data from Local System                      		1
                      Ingress Tool Transfer                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Deobfuscate/Decode Files or Information                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object Model2
                      Clipboard Data                      		3
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                      Obfuscated Files or Information                      		LSA Secrets2
                      File and Directory Discovery                      		SSHKeylogging14
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Software Packing                      		Cached Domain Credentials22
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      DLL Side-Loading                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1631707 Sample: bdc2be5bddda548dec3c2d88464... Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 29 neurozovery.life 2->29 31 agroecologyguide.digital 2->31 33 2 other IPs or domains 2->33 55 Suricata IDS alerts for network traffic 2->55 57 Found malware configuration 2->57 59 Antivirus detection for URL or domain 2->59 61 7 other signatures 2->61 9 powershell.exe 15 20 2->9         started        13 notepad.exe 5 2->13         started        signatures3 process4 dnsIp5 43 u1.wildnessreflected.shop 104.21.16.1, 443, 49690 CLOUDFLARENETUS United States 9->43 63 Attempt to bypass Chrome Application-Bound Encryption 9->63 65 Found many strings related to Crypto-Wallets (likely being stolen) 9->65 67 Injects a PE file into a foreign processes 9->67 15 powershell.exe 9->15         started        19 conhost.exe 9->19         started        signatures6 process7 dnsIp8 45 agroecologyguide.digital 172.67.187.236, 443, 49691, 49692 CLOUDFLARENETUS United States 15->45 47 127.0.0.1 unknown unknown 15->47 49 Found many strings related to Crypto-Wallets (likely being stolen) 15->49 51 Tries to harvest and steal browser information (history, passwords, etc) 15->51 53 Tries to steal Crypto Currency Wallets 15->53 21 chrome.exe 15->21         started        signatures9 process10 dnsIp11 35 192.168.2.5, 138, 443, 49675 unknown unknown 21->35 24 chrome.exe 21->24         started        27 chrome.exe 21->27         started        process12 dnsIp13 37 www.google.com 142.250.185.228, 443, 49697, 49698 GOOGLEUS United States 24->37 39 plus.l.google.com 142.250.186.142, 443, 61958 GOOGLEUS United States 24->39 41 2 other IPs or domains 24->41

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.