Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe
Analysis ID:1663544
MD5:32fea4b1c6b90660c9107de739d3377e
SHA1:f2d220a76ad0a679fbc886f5bfb234070a03298c
SHA256:1fca00c3d850ca597f9aadd1e30f78d760e4949657aabca67438766535074298
Tags:exeuser-SecuriteInfoCom
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Attempt to bypass Chrome Application-Bound Encryption
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe (PID: 6996 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe" MD5: 32FEA4B1C6B90660C9107DE739D3377E)
    • Acrobat.exe (PID: 7144 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\chicos.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
      • AcroCEF.exe (PID: 6652 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
        • AcroCEF.exe (PID: 1840 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2232 --field-trial-handle=1568,i,3161660524904060145,7389112258503054530,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
  • SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe (PID: 7764 cmdline: "C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe" MD5: 32FEA4B1C6B90660C9107DE739D3377E)
    • RegAsm.exe (PID: 7920 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • chrome.exe (PID: 7956 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203 MD5: E81F54E6C1129887AEA47E7D092680BF)
        • chrome.exe (PID: 8172 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2296,i,6470514897906357561,16771571558271780374,262144 --variations-seed-version --mojo-platform-channel-handle=2256 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe (PID: 2760 cmdline: "C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe" MD5: 32FEA4B1C6B90660C9107DE739D3377E)
    • CasPol.exe (PID: 8556 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
      • chrome.exe (PID: 8768 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203 MD5: E81F54E6C1129887AEA47E7D092680BF)
        • chrome.exe (PID: 8984 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2436,i,18332296753667315141,5140261838621725838,262144 --variations-seed-version --mojo-platform-channel-handle=2528 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["unbinddas.digital/qwez", "jrxsafer.top/shpaoz", "plantainklj.run/opafg", "puerrogfh.live/iqwez", "quavabvc.top/iuzhd", "advennture.top/GKsiio", "targett.top/dsANGt", "rambutanvcx.run/adioz", "ywmedici.top/noagis"], "Build id": "15c0809998ff0231389bed2b0618b07a9e8d5eede1"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000A.00000003.1727265327.0000000003871000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
      00000003.00000002.2782206486.0000000003CD0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
        0000000E.00000003.1800206145.00000000039E1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
          00000003.00000002.2781644555.0000000003BB9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
            0000000A.00000002.2781289023.00000000038F9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
              Click to see the 7 entries

              Sigma Signatures

              Sigma detected: Browser Started with Remote Debugging
              Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203, CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203, CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 7920, ParentProcessName: RegAsm.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203, ProcessId: 7956, ProcessName: chrome.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, ProcessId: 1568, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutoStartApp

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-04-11T22:51:56.256181+020020283713Unknown Traffic192.168.2.649687172.67.172.163443TCP
              2025-04-11T22:52:01.197894+020020283713Unknown Traffic192.168.2.649691172.67.172.163443TCP
              2025-04-11T22:52:02.404039+020020283713Unknown Traffic192.168.2.649694172.67.172.163443TCP
              2025-04-11T22:52:03.511172+020020283713Unknown Traffic192.168.2.649699172.67.172.163443TCP
              2025-04-11T22:52:06.614413+020020283713Unknown Traffic192.168.2.649705172.67.172.163443TCP
              2025-04-11T22:52:08.474500+020020283713Unknown Traffic192.168.2.649707172.67.172.163443TCP
              2025-04-11T22:52:08.596477+020020283713Unknown Traffic192.168.2.649708172.67.172.163443TCP
              2025-04-11T22:52:11.251319+020020283713Unknown Traffic192.168.2.649709172.67.172.163443TCP
              2025-04-11T22:52:15.639702+020020283713Unknown Traffic192.168.2.649728172.67.172.163443TCP
              2025-04-11T22:52:20.157633+020020283713Unknown Traffic192.168.2.649739172.67.172.163443TCP
              2025-04-11T22:52:21.482206+020020283713Unknown Traffic192.168.2.649740172.67.172.163443TCP
              2025-04-11T22:52:22.644051+020020283713Unknown Traffic192.168.2.649741172.67.172.163443TCP
              2025-04-11T22:52:23.486477+020020283713Unknown Traffic192.168.2.649742172.67.172.163443TCP
              2025-04-11T22:52:25.413025+020020283713Unknown Traffic192.168.2.649743172.67.172.163443TCP
              2025-04-11T22:52:26.667526+020020283713Unknown Traffic192.168.2.649744172.67.172.163443TCP
              2025-04-11T22:52:28.650880+020020283713Unknown Traffic192.168.2.649757172.67.172.163443TCP
              2025-04-11T22:52:35.981071+020020283713Unknown Traffic192.168.2.649770172.67.172.163443TCP
              2025-04-11T22:52:36.846418+020020283713Unknown Traffic192.168.2.649771172.67.172.163443TCP
              2025-04-11T22:52:37.840715+020020283713Unknown Traffic192.168.2.649772172.67.172.163443TCP
              2025-04-11T22:52:38.816044+020020283713Unknown Traffic192.168.2.649773172.67.172.163443TCP
              2025-04-11T22:52:40.670417+020020283713Unknown Traffic192.168.2.649774172.67.172.163443TCP
              2025-04-11T22:52:41.752427+020020283713Unknown Traffic192.168.2.649776172.67.172.163443TCP
              2025-04-11T22:52:43.739039+020020283713Unknown Traffic192.168.2.649777172.67.172.163443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 0000000A.00000003.1727265327.0000000003871000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["unbinddas.digital/qwez", "jrxsafer.top/shpaoz", "plantainklj.run/opafg", "puerrogfh.live/iqwez", "quavabvc.top/iuzhd", "advennture.top/GKsiio", "targett.top/dsANGt", "rambutanvcx.run/adioz", "ywmedici.top/noagis"], "Build id": "15c0809998ff0231389bed2b0618b07a9e8d5eede1"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeReversingLabs: Detection: 19%
              Multi AV Scanner detection for submitted file
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeVirustotal: Detection: 28%Perma Link
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeReversingLabs: Detection: 19%
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleNeural Call Log Analysis: 98.1%
              Sample uses string decryption to hide its real strings
              Source: 0000000A.00000003.1727265327.0000000003871000.00000004.00000020.00020000.00000000.sdmpString decryptor: unbinddas.digital/qwez
              Source: 0000000A.00000003.1727265327.0000000003871000.00000004.00000020.00020000.00000000.sdmpString decryptor: jrxsafer.top/shpaoz
              Source: 0000000A.00000003.1727265327.0000000003871000.00000004.00000020.00020000.00000000.sdmpString decryptor: plantainklj.run/opafg
              Source: 0000000A.00000003.1727265327.0000000003871000.00000004.00000020.00020000.00000000.sdmpString decryptor: puerrogfh.live/iqwez
              Source: 0000000A.00000003.1727265327.0000000003871000.00000004.00000020.00020000.00000000.sdmpString decryptor: quavabvc.top/iuzhd
              Source: 0000000A.00000003.1727265327.0000000003871000.00000004.00000020.00020000.00000000.sdmpString decryptor: advennture.top/GKsiio
              Source: 0000000A.00000003.1727265327.0000000003871000.00000004.00000020.00020000.00000000.sdmpString decryptor: targett.top/dsANGt
              Source: 0000000A.00000003.1727265327.0000000003871000.00000004.00000020.00020000.00000000.sdmpString decryptor: rambutanvcx.run/adioz
              Source: 0000000A.00000003.1727265327.0000000003871000.00000004.00000020.00020000.00000000.sdmpString decryptor: ywmedici.top/noagis
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041A811 CryptUnprotectData,11_2_0041A811
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.192.142.25:443 -> 192.168.2.6:49684 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 3.5.21.193:443 -> 192.168.2.6:49685 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.192.142.25:443 -> 192.168.2.6:49686 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49687 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49691 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49694 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49699 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.192.142.25:443 -> 192.168.2.6:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.192.142.26:443 -> 192.168.2.6:49725 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49728 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49739 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49740 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49741 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49742 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49743 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49744 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49757 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49770 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49771 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49772 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49773 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49774 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49776 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49777 version: TLS 1.2
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002F4633 FindFirstFileExW,0_2_002F4633
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 3_2_00B04633 FindFirstFileExW,3_2_00B04633
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then add ebp, esi6_2_00430000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov byte ptr [edi], al6_2_0041234F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-39CB2B86h]6_2_0040D700
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then cmp word ptr [edi+ebx], 0000h6_2_00450780
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]6_2_00409C10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ecx, word ptr [edi+esi*4]6_2_00409C10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-46h]6_2_0040FA10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]6_2_00402020
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ebx, byte ptr [esi+01h]6_2_00401C20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx-7749D400h]6_2_0040BEE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movsx eax, byte ptr [esi+ecx]6_2_0040AD70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx]6_2_00450330
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov ebp, eax6_2_00408390
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then movzx ebx, byte ptr [eax+esi]6_2_0040C590
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx11_2_0041D811
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [esi], al11_2_00422D6C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], B245113Ah11_2_0041DBCF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [esp+04h], edx11_2_0041DBCF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov esi, ecx11_2_004205D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov esi, ecx11_2_004205D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [esp], ecx11_2_004205D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ecx], al11_2_00422C50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ecx], al11_2_00422C50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h11_2_0041B202
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h11_2_0041B232
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ecx], al11_2_00423A3C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ebp+02h]11_2_00429AC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h11_2_0041E6D1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax+2184E64Eh]11_2_0041AAFA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h11_2_0041B885
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h11_2_00429570
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h11_2_0041BD04
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h11_2_0041B885
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-7C9EAF8Ah]11_2_0041C1A8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, edi11_2_0041C3B2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx eax, byte ptr [esp+ebx+44h]11_2_004106A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 7A5B3AD5h11_2_00451490
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then cmp dword ptr [edx+ebx*8], A0E666EBh15_2_0044A020
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax-56h]15_2_0044A020
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-10h]15_2_00446020
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h15_2_0044D03C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-3465FF36h]15_2_0044AA53
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax-62h]15_2_0044AA53
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx-62h]15_2_0044AA53
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then mov word ptr [ecx], dx15_2_0044CB42
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then cmp dword ptr [eax+edx*8], A0D89AB2h15_2_0044E3E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then mov byte ptr [esi], cl15_2_00437545
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+3Ch]15_2_004340F3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then mov byte ptr [esi], cl15_2_00437897
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h15_2_0044D143
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h15_2_0044D137
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then mov dword ptr [esp+08h], eax15_2_004349FB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]15_2_00435180
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then mov dword ptr [esp+08h], eax15_2_00434A1B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax-18851F36h]15_2_0043A2E6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then movzx ecx, word ptr [esi]15_2_0044FA98
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then movzx ebx, byte ptr [edx]15_2_00443310
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx]15_2_00447B10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then movzx edi, byte ptr [esp+esi]15_2_0044FBBD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then mov byte ptr [edi], cl15_2_004395C3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then mov dword ptr [esp], ecx15_2_0043859A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then mov byte ptr [edi], cl15_2_0043859A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then jmp eax15_2_00431747
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax-62h]15_2_00449F50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then mov byte ptr [edi], cl15_2_00439710
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then mov word ptr [ecx], dx15_2_004119F9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then mov eax, dword ptr [esi+0Ch]15_2_00411000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then mov edi, ecx15_2_00411D16
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 4x nop then mov edi, ecx15_2_00411E0F
              Source: chrome.exeMemory has grown: Private usage: 5MB later: 39MB

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: unbinddas.digital/qwez
              Source: Malware configuration extractorURLs: jrxsafer.top/shpaoz
              Source: Malware configuration extractorURLs: plantainklj.run/opafg
              Source: Malware configuration extractorURLs: puerrogfh.live/iqwez
              Source: Malware configuration extractorURLs: quavabvc.top/iuzhd
              Source: Malware configuration extractorURLs: advennture.top/GKsiio
              Source: Malware configuration extractorURLs: targett.top/dsANGt
              Source: Malware configuration extractorURLs: rambutanvcx.run/adioz
              Source: Malware configuration extractorURLs: ywmedici.top/noagis
              Source: Joe Sandbox ViewIP Address: 104.192.142.26 104.192.142.26
              Source: Joe Sandbox ViewIP Address: 104.192.142.25 104.192.142.25
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49687 -> 172.67.172.163:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49694 -> 172.67.172.163:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49705 -> 172.67.172.163:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49709 -> 172.67.172.163:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49691 -> 172.67.172.163:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49707 -> 172.67.172.163:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49708 -> 172.67.172.163:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49728 -> 172.67.172.163:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49699 -> 172.67.172.163:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49741 -> 172.67.172.163:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49740 -> 172.67.172.163:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49739 -> 172.67.172.163:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49744 -> 172.67.172.163:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49743 -> 172.67.172.163:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49742 -> 172.67.172.163:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49757 -> 172.67.172.163:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49770 -> 172.67.172.163:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49771 -> 172.67.172.163:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49772 -> 172.67.172.163:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49773 -> 172.67.172.163:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49774 -> 172.67.172.163:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49777 -> 172.67.172.163:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49776 -> 172.67.172.163:443
              Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.91
              Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002A6A00 GetTempPathA,GetFileAttributesA,LoadLibraryA,LoadLibraryA,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,FreeLibrary,URLDownloadToFileA,FreeLibrary,FreeLibrary,FreeLibrary,ShellExecuteA,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,std::ios_base::_Ios_base_dtor,0_2_002A6A00
              Source: global trafficHTTP traffic detected: GET /fedormaximofgfdvdc/saxxxax/downloads/chicos.pdf HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bitbucket.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /6544da31-4ffc-4ef7-929c-ad409ab2ef2f/downloads/21ffe1a0-863b-4292-ac6b-b3097c9ca54a/chicos.pdf?response-content-disposition=attachment%3B%20filename%3D%22chicos.pdf%22&AWSAccessKeyId=ASIA6KOSE3BNL7F3DWKE&Signature=EzbQwOkqVgbU%2Fknor2ru5kwmxyQ%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEE0aCXVzLWVhc3QtMSJHMEUCIERjcQw4%2Fs4YNWIGHe3HhpcdgnLvZfuIuaGhrIwdsvTwAiEAigq55hIui2boFp52BRs0CBHLPAnNifAO0wWORPMAHTwqsAIIxv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw5ODQ1MjUxMDExNDYiDPDm4E2Vc%2B7%2B4tebvyqEAieS6xFHz183QuvdK%2FHM5UKSBHHLCZShY7wbcN1r9UXT9JTgWGsXrMuPnD0JNwzvGvH%2BaEIYVUQN2flP4kEBhJy3od0EEEsJ6UwmXZL%2BL1sF6xdek0zIi5YjdhqTM9JNkxJj6ZvZf9Y%2BK%2Fzzx7sshgxE8ea%2FoMF4NWDA1NC94g4ohR8SKUQzXxyKytWD%2Blj6bu1YrWrE3zvjr4FALa36KC8l7AIbl1D%2FQP9RCrJ1HfrNR02VimntokZ6ojnA2whUEBYI5ffsJHXdakQYBhCaLMvlJbz%2F8jxVmc3LvDX%2B9w8YSeyjLG6PSKneU1A8DPNI1GMicPAguWgKmqr9ku6fPfyVCHIaMKb85b8GOp0Bn44lUZj3FupRv5miaaXeiMmA2rRdmJzzv%2Fz4Z0L6uQ9Wwdb%2FV%2FDo%2B8%2BjK3abNlqtXYU%2B%2B2%2F9Lh827fnW6k18o%2FTTeEGIaoL1KE1jJRVRgubWv1%2FqlgZr9CQdkSEDic8%2F0fy%2BXKvGHPfxROaA4AQEXv8FDvoBh9cFUWQumYEexBrojdEfPk8I%2BY9YJkCIJZlvzfIW6ay6elLTJ%2FrftQ%3D%3D&Expires=1744405806 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: bbuseruploads.s3.amazonaws.com
              Source: global trafficHTTP traffic detected: GET /fedormaximofgfdvdc/saxxxax/raw/797c0121c4fd45bacf2e3e7cf71b0a0e2229177b/sccccsdddpfpfpf HTTP/1.1Accept: */*User-Agent: Chrome/95.0.4638.54Host: bitbucket.org
              Source: global trafficHTTP traffic detected: GET /fedormaximofgfdvdc/saxxxax/raw/797c0121c4fd45bacf2e3e7cf71b0a0e2229177b/sccccsdddpfpfpf HTTP/1.1Accept: */*User-Agent: Chrome/95.0.4638.54Host: bitbucket.org
              Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CO6MywE=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CO6MywE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /fedormaximofgfdvdc/saxxxax/raw/797c0121c4fd45bacf2e3e7cf71b0a0e2229177b/sccccsdddpfpfpf HTTP/1.1Accept: */*User-Agent: Chrome/95.0.4638.54Host: bitbucket.org
              Source: global trafficHTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.24R2mrw_td8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9vR1rNwOjC3PXOxUlyKiCwNBv2Fg/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*X-Client-Data: CO6MywE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CO6MywE=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=523=VevyVW-ghNZe-bqJMUu8GXk_kK6_gOMly1V1ZO1BLRdAa3977CdBy5GLGRAIxqQn-fRLuhz3VRhx4MKrXQ5Xj4KYU5ax_7kuy5w080d-7hkKKf_YPoBoKvU7PeU8jhUzHcGTpD5BSTARlmP1YVFI3XPCKByfZ7suX-FeDdESzf6XuAvQmk_GUR6VbO1_4KpqDm_-Gpffxlc6ZbQ
              Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=523=VevyVW-ghNZe-bqJMUu8GXk_kK6_gOMly1V1ZO1BLRdAa3977CdBy5GLGRAIxqQn-fRLuhz3VRhx4MKrXQ5Xj4KYU5ax_7kuy5w080d-7hkKKf_YPoBoKvU7PeU8jhUzHcGTpD5BSTARlmP1YVFI3XPCKByfZ7suX-FeDdESzf6XuAvQmk_GUR6VbO1_4KpqDm_-Gpffxlc6ZbQ
              Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CO6MywE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=523=VevyVW-ghNZe-bqJMUu8GXk_kK6_gOMly1V1ZO1BLRdAa3977CdBy5GLGRAIxqQn-fRLuhz3VRhx4MKrXQ5Xj4KYU5ax_7kuy5w080d-7hkKKf_YPoBoKvU7PeU8jhUzHcGTpD5BSTARlmP1YVFI3XPCKByfZ7suX-FeDdESzf6XuAvQmk_GUR6VbO1_4KpqDm_-Gpffxlc6ZbQ
              Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=523=VevyVW-ghNZe-bqJMUu8GXk_kK6_gOMly1V1ZO1BLRdAa3977CdBy5GLGRAIxqQn-fRLuhz3VRhx4MKrXQ5Xj4KYU5ax_7kuy5w080d-7hkKKf_YPoBoKvU7PeU8jhUzHcGTpD5BSTARlmP1YVFI3XPCKByfZ7suX-FeDdESzf6XuAvQmk_GUR6VbO1_4KpqDm_-Gpffxlc6ZbQ
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: x1.i.lencr.org
              Source: chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
              Source: chrome.exe, 0000000C.00000003.1766176902.00006F94002F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1766280852.00006F9401404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1766132309.00006F94013C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3||(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
              Source: chrome.exe, 0000000C.00000003.1766176902.00006F94002F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1766280852.00006F9401404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1766132309.00006F94013C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <!--_html_template_end_-->`}const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$2()}render(){return getHtml$2.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$3=null;function getCss$1(){return instance$3||(instance$3=[...[getCss$4()],css`:host{--ntp-logo-height:168px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chrome://new-tab-page/icons/share_unfilled.svg);background-color:var(--color-new-tab-page-doodle-share-button-i
              Source: chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
              Source: chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
              Source: chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
              Source: chrome.exe, 0000000C.00000002.1875597738.00006F9400674000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2030246234.000060DC00690000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
              Source: global trafficDNS traffic detected: DNS query: bitbucket.org
              Source: global trafficDNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
              Source: global trafficDNS traffic detected: DNS query: unbinddas.digital
              Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
              Source: global trafficDNS traffic detected: DNS query: www.google.com
              Source: global trafficDNS traffic detected: DNS query: ogads-pa.clients6.google.com
              Source: global trafficDNS traffic detected: DNS query: apis.google.com
              Source: global trafficDNS traffic detected: DNS query: play.google.com
              Source: unknownHTTP traffic detected: POST /qwez HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 51Host: unbinddas.digital
              Source: chrome.exe, 0000000C.00000002.1869230043.00006F94001E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021570300.000060DC001F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://clients2.google.com/time/1/current
              Source: chrome.exe, 00000014.00000002.2031008588.000060DC00850000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
              Source: 77EC63BDA74BD0D0E0426DC8F80085060.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: chrome.exe, 00000014.00000002.2031363754.000060DC00904000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2031300853.000060DC008F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2020386886.000060DC000DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)
              Source: chrome.exe, 0000000C.00000002.1881332432.00006F9401028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2035764287.000060DC01080000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dns-tunnel-check.googlezip.net/connect
              Source: chrome.exe, 0000000C.00000002.1868253429.00006F940006F000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2020192653.000060DC00096000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://google.com/
              Source: chrome.exe, 00000014.00000002.2035149916.000060DC00F40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
              Source: chrome.exe, 0000000C.00000002.1879772085.00006F9400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://unisolated.invalid/
              Source: chromecache_201.13.drString found in binary or memory: http://www.broofa.com
              Source: chrome.exe, 00000014.00000002.2034436454.000060DC00DE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/update2/response
              Source: chrome.exe, 0000000C.00000002.1879832263.00006F9400E58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034436454.000060DC00DE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.gstatic.com/generate_204
              Source: 2D85F72862B55C4EADD9E66E06947F3D0.4.drString found in binary or memory: http://x1.i.lencr.org/
              Source: chrome.exe, 00000014.00000002.2034817453.000060DC00E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://a-mo.net
              Source: chrome.exe, 0000000C.00000002.1879421248.00006F9400E10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
              Source: chrome.exe, 0000000C.00000002.1869230043.00006F94001E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021728474.000060DC00204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accountcapabilities-pa.googleapis.com/
              Source: chrome.exe, 0000000C.00000002.1868169571.00006F9400030000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2019990486.000060DC00030000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
              Source: chrome.exe, 0000000C.00000002.1892002474.00006F94017C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1891713271.00006F9401704000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1875981117.00006F940077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1795148301.00006F94007C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1764822502.00006F94007C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2030387716.000060DC0072C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1921859579.000060DC0077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2030557305.000060DC00778000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945158226.000060DC0077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2039850922.000060DC017AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com
              Source: chrome.exe, 0000000C.00000002.1892002474.00006F94017C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1869230043.00006F94001E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021728474.000060DC00204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2039850922.000060DC017AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021570300.000060DC001F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/AccountChooser
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021570300.000060DC001F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/AddSession
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021728474.000060DC00204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021728474.000060DC00204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021570300.000060DC001F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/Logout
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021570300.000060DC001F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/RotateBoundCookies
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021570300.000060DC001F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/chrome/blank.html
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021728474.000060DC00204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021728474.000060DC00204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021728474.000060DC00204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021728474.000060DC00204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021728474.000060DC00204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021728474.000060DC00204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/setup/windows
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021728474.000060DC00204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021728474.000060DC00204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
              Source: chrome.exe, 0000000C.00000002.1868332308.00006F9400078000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2020242157.000060DC000B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
              Source: chrome.exe, 00000014.00000002.2020242157.000060DC000B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxABCommonProgramFiles
              Source: chromecache_205.13.drString found in binary or memory: https://accounts.google.com/o/oauth2/auth
              Source: chromecache_205.13.drString found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
              Source: chrome.exe, 0000000C.00000002.1869230043.00006F94001E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021570300.000060DC001F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/o/oauth2/revoke
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021570300.000060DC001F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/oauth/multilogin
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021570300.000060DC001F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/samlredirect
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021728474.000060DC00204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
              Source: chrome.exe, 0000000C.00000002.1875981117.00006F940077C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2030387716.000060DC0072C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com:443
              Source: chrome.exe, 00000014.00000002.2034817453.000060DC00E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://adsmeasurement.com
              Source: chrome.exe, 00000014.00000002.2034817453.000060DC00E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://adtrafficquality.google
              Source: chrome.exe, 00000014.00000002.2034817453.000060DC00E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apex-football.com
              Source: chrome.exe, 00000014.00000002.2036596235.000060DC01194000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1946924002.000060DC01438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945996688.000060DC01864000.00000004.00000800.00020000.00000000.sdmp, chromecache_205.13.dr, chromecache_201.13.drString found in binary or memory: https://apis.google.com
              Source: chrome.exe, 00000014.00000002.2034245576.000060DC00D8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2033809118.000060DC00C8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.24R2mrw_td8.O/m=gapi_iframes
              Source: chrome.exe, 00000014.00000002.2034817453.000060DC00E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://atomex.net
              Source: chrome.exe, 00000014.00000002.2034817453.000060DC00E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://audienceproject.com
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000E.00000003.1799863251.00000000011FF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000E.00000003.1799962227.0000000001208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000E.00000003.1799962227.0000000001208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000A.00000002.2777499558.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000A.00000003.1726404095.0000000000F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-exp.prod-east.front-
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000E.00000003.1799962227.0000000001208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000E.00000003.1799962227.0000000001208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000E.00000003.1799962227.0000000001208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000000.00000003.1556577656.0000000001362000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000000.00000002.1562412314.0000000001362000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000E.00000003.1799962227.0000000001208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000E.00000003.1799962227.0000000001208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000E.00000003.1799962227.0000000001208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000000.00000003.1556262966.0000000001379000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000000.00000003.1554287872.0000000001372000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000000.00000002.1562412314.0000000001362000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000000.00000003.1543608679.0000000001372000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000000.00000003.1543608679.0000000001372000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/6544da31-4ffc-4ef7-929c-ad409ab2ef2f/downloads/21ffe1a0-863b-
              Source: chrome.exe, 00000014.00000002.2034817453.000060DC00E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://beaconmax.com
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000A.00000003.1726404095.0000000000F8D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000E.00000002.2777332310.00000000011A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000003.00000002.2777921635.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000003.00000003.1599107352.00000000014C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/&nX
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000003.00000003.1599107352.0000000001495000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000003.00000002.2777921635.0000000001495000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/66=
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000A.00000002.2777499558.0000000000F42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/IE5
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000000.00000002.1562412314.0000000001300000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000000.00000002.1562412314.0000000001342000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000000.00000003.1556577656.000000000130A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000000.00000003.1543608679.0000000001372000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/fedormaximofgfdvdc/saxxxax/downloads/chicos.pdf
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000000.00000002.1562412314.0000000001300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/fedormaximofgfdvdc/saxxxax/downloads/chicos.pdfW
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000000.00000002.1562412314.0000000001300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/fedormaximofgfdvdc/saxxxax/downloads/chicos.pdfe
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000000.00000003.1556577656.0000000001342000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000000.00000002.1562412314.0000000001342000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/fedormaximofgfdvdc/saxxxax/downloads/chicos.pdfu
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000E.00000002.2777332310.00000000011A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/fedormaximofgfdvdc/saxxxax/raw/797c0121c4fd45bacf2e3e7cf71b0a0e2229177b/sccccs
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000003.00000002.2777921635.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000003.00000003.1599107352.00000000014C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/gn
              Source: chrome.exe, 0000000C.00000002.1877070358.00006F94009B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2031543590.000060DC00950000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/
              Source: chrome.exe, 0000000C.00000003.1795194766.00006F94013C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1795258254.00006F9400538000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1795085914.00006F940136C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1795337574.00006F9401404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945251704.000060DC00578000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945111975.000060DC01484000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945353458.000060DC014B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945206115.000060DC01494000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com
              Source: chrome.exe, 0000000C.00000002.1878574177.00006F9400CD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1887952918.00006F940138C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877737560.00006F9400B24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1797248948.00006F940138C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1924851843.000060DC01500000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1986796316.000060DC01510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2038535217.000060DC01510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2033074347.000060DC00B2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945353458.000060DC01510000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000E.00000003.1799863251.00000000011FF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000E.00000003.1799962227.0000000001208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
              Source: chrome.exe, 0000000C.00000002.1879421248.00006F9400E10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: chrome.exe, 0000000C.00000002.1879421248.00006F9400E10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: chrome.exe, 0000000C.00000002.1879421248.00006F9400E10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: chrome.exe, 00000014.00000003.1925416668.000060DC01194000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2031363754.000060DC00904000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2031008588.000060DC00850000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021095422.000060DC00180000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore
              Source: chrome.exe, 00000014.00000003.1922497046.000060DC01184000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore/category/collection/chrome_color_themes?hl=$
              Source: chrome.exe, 0000000C.00000002.1863543318.00000185ADBA7000.00000004.08000000.00040000.00000000.sdmp, chrome.exe, 0000000C.00000002.1886213668.00006F940119C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1882232759.00006F94010C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1891343059.00006F9401654000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1879772085.00006F9400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2037051642.000060DC01214000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034817453.000060DC00E60000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034436454.000060DC00DE8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034733642.000060DC00E30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2012990849.00000235A2947000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
              Source: chrome.exe, 0000000C.00000003.1797098243.00006F9401968000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1886852895.00006F9401290000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1794568788.00006F9401160000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1797199559.00006F9401978000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1797169435.00006F9401970000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1769706085.00006F9401298000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1944615234.000060DC01184000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1925416668.000060DC01194000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstoreLDDiscover
              Source: chrome.exe, 00000014.00000003.1908904001.000060D800498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymity-pa.googleapis.com/
              Source: chrome.exe, 0000000C.00000003.1753380361.00006F9000188000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1753326629.00006F900017C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1838436013.00006F9401AEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1908118925.000060D80017C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1947740484.000060DC01A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1908209635.000060D800188000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
              Source: chrome.exe, 00000014.00000003.1908904001.000060D800498000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
              Source: chrome.exe, 0000000C.00000003.1753380361.00006F9000188000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1753326629.00006F900017C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1838436013.00006F9401AEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1908118925.000060D80017C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1947740484.000060DC01A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1908209635.000060D800188000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
              Source: chrome.exe, 0000000C.00000003.1753380361.00006F9000188000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1753326629.00006F900017C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1838436013.00006F9401AEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1908118925.000060D80017C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1947740484.000060DC01A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1908209635.000060D800188000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
              Source: chrome.exe, 0000000C.00000002.1876440091.00006F9400820000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2030614368.000060DC007AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromemodelexecution-pa.googleapis.com/v1:Execute?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
              Source: chrome.exe, 0000000C.00000002.1876440091.00006F9400820000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2030614368.000060DC007AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromemodelquality-pa.googleapis.com/v1:LogAiData?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNh
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021728474.000060DC00204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021728474.000060DC00204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
              Source: chrome.exe, 0000000C.00000002.1869079926.00006F94001B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021095422.000060DC00180000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromewebstore.google.com/
              Source: chrome.exe, 0000000C.00000002.1877242524.00006F94009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2031487541.000060DC00930000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromewebstore.google.com/category/extensions
              Source: chrome.exe, 0000000C.00000002.1877242524.00006F94009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2031487541.000060DC00930000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chromewebstore.google.com/category/themes
              Source: chrome.exe, 0000000C.00000002.1869230043.00006F94001E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021570300.000060DC001F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://classroom.googleapis.com/
              Source: chrome.exe, 0000000C.00000003.1745394928.000006A8000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1906349706.00002FC0000DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/report
              Source: chrome.exe, 0000000C.00000002.1869079926.00006F94001B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1882232759.00006F94010C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877030359.00006F9400988000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1876997313.00006F9400970000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2031418986.000060DC00918000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021026428.000060DC00170000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021728474.000060DC00204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2033405886.000060DC00BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021095422.000060DC00180000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crx
              Source: chrome.exe, 0000000C.00000002.1876304203.00006F94007E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2030710133.000060DC007BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
              Source: chrome.exe, 0000000C.00000002.1876517338.00006F940083C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2030909397.000060DC00810000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
              Source: chrome.exe, 0000000C.00000002.1876517338.00006F940083C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2030909397.000060DC00810000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021728474.000060DC00204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients4.google.com/chrome-sync
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021728474.000060DC00204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients4.google.com/chrome-sync/event
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clients4.google.com/chrome-syncstorage.mojom.FileLockMessageHeaderValidator
              Source: chromecache_205.13.drString found in binary or memory: https://clients6.google.com
              Source: chrome.exe, 0000000C.00000002.1876597717.00006F94008A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2031008588.000060DC00850000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=134
              Source: chromecache_205.13.drString found in binary or memory: https://content.googleapis.com
              Source: chrome.exe, 00000014.00000002.2034817453.000060DC00E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://creative-serving.com
              Source: chrome.exe, 00000014.00000002.2023805866.000060DC003D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
              Source: chrome.exe, 00000014.00000002.2034817453.000060DC00E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dailymotion.com
              Source: chrome.exe, 00000014.00000002.2025351756.000060DC004E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.
              Source: chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/:
              Source: chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
              Source: chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/J
              Source: chrome.exe, 0000000C.00000003.1838436013.00006F9401AEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1947740484.000060DC01A04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
              Source: chrome.exe, 0000000C.00000002.1875597738.00006F9400674000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2030246234.000060DC00690000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
              Source: chrome.exe, 0000000C.00000002.1878574177.00006F9400CD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1887952918.00006F940138C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877737560.00006F9400B24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1797248948.00006F940138C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034393530.000060DC00DC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2033074347.000060DC00B2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
              Source: chrome.exe, 0000000C.00000002.1878574177.00006F9400CD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1887952918.00006F940138C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877737560.00006F9400B24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1797248948.00006F940138C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1924851843.000060DC01500000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1986796316.000060DC01510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2038535217.000060DC01510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2033074347.000060DC00B2C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945353458.000060DC01510000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
              Source: chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/:
              Source: chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
              Source: chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/J
              Source: chrome.exe, 0000000C.00000002.1875597738.00006F9400674000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2030246234.000060DC00690000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
              Source: chrome.exe, 0000000C.00000002.1878574177.00006F9400CD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1887952918.00006F940138C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877737560.00006F9400B24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1797248948.00006F940138C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2035437123.000060DC01004000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2033074347.000060DC00B2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
              Source: chrome.exe, 00000014.00000002.2035437123.000060DC01004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actionsC0A
              Source: chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/:
              Source: chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
              Source: chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/J
              Source: chrome.exe, 0000000C.00000002.1875597738.00006F9400674000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2030246234.000060DC00690000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
              Source: chrome.exe, 0000000C.00000002.1878574177.00006F9400CD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1887952918.00006F940138C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877737560.00006F9400B24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1797248948.00006F940138C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034393530.000060DC00DC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2033074347.000060DC00B2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
              Source: chromecache_205.13.drString found in binary or memory: https://domains.google.com/suggest/flow
              Source: chrome.exe, 00000014.00000002.2025351756.000060DC004E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-1.corp.google.c
              Source: chrome.exe, 00000014.00000002.2025351756.000060DC004E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-3.corp.googl
              Source: chrome.exe, 00000014.00000002.2025351756.000060DC004E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-daily-5.corp.google.com/
              Source: chrome.exe, 00000014.00000002.2025351756.000060DC004E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive-preprod.corp.google.com/
              Source: chrome.exe, 00000014.00000002.2025351756.000060DC004E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
              Source: chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/:
              Source: chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?lfhs=2
              Source: chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/J
              Source: chrome.exe, 0000000C.00000002.1875597738.00006F9400674000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2030246234.000060DC00690000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000E.00000003.1799863251.00000000011FF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000E.00000003.1799962227.0000000001208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ds-cdn.prod-east.frontend.public.atl-paas.net
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000E.00000003.1799962227.0000000001208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
              Source: chrome.exe, 00000014.00000002.2034817453.000060DC00E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://eloan.co.jp
              Source: chrome.exe, 00000014.00000002.2034817453.000060DC00E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://explorefledge.com
              Source: chrome.exe, 0000000C.00000003.1769509497.00006F9401604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1769051438.00006F9401568000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1769415870.00006F940153C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1924920075.000060DC015BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1925148213.000060DC01604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1925110185.000060DC01568000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.google.com/icons?selected=Material
              Source: chromecache_201.13.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
              Source: chromecache_201.13.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
              Source: chromecache_201.13.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
              Source: chromecache_201.13.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
              Source: chrome.exe, 0000000C.00000002.1879421248.00006F9400E10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
              Source: chrome.exe, 0000000C.00000003.1838436013.00006F9401AEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1947740484.000060DC01A04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/glic/intro?20
              Source: chrome.exe, 0000000C.00000003.1838436013.00006F9401AEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1947740484.000060DC01A04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/glicbm
              Source: chrome.exe, 0000000C.00000003.1753380361.00006F9000188000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1753326629.00006F900017C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1838436013.00006F9401AEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1908118925.000060D80017C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1947740484.000060DC01A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1908209635.000060D800188000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
              Source: chrome.exe, 0000000C.00000003.1753380361.00006F9000188000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1753326629.00006F900017C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1838436013.00006F9401AEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1908118925.000060D80017C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1947740484.000060DC01A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1908209635.000060D800188000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
              Source: chrome.exe, 00000014.00000003.1909448193.000060D8004CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
              Source: chrome.exe, 0000000C.00000003.1753380361.00006F9000188000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1753326629.00006F900017C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1908118925.000060D80017C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1908209635.000060D800188000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJ
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1868087906.00006F9400004000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2019903375.000060DC00004000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021728474.000060DC00204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://google.com/
              Source: chrome.exe, 0000000C.00000002.1876955307.00006F940095C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2031363754.000060DC00904000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://googleusercontent.com/
              Source: chrome.exe, 0000000C.00000003.1798483671.00006F9401AB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1838436013.00006F9401AEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1947531556.000060DC01C64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1947740484.000060DC01A04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://goto.google.com/sme-bugs2e
              Source: chrome.exe, 00000014.00000002.2034817453.000060DC00E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gunosy.com
              Source: chrome.exe, 00000014.00000002.2038630478.000060DC01530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945996688.000060DC01864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.google.com/verify/AH5-l67hnv9Sszs_AnkMvGY4pAGckrNfHn4QHf7m0Gk8J5w2BdlmmU5aJDmqbLAcu3pKZ1C
              Source: chrome.exe, 0000000C.00000002.1878042306.00006F9400BC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1878952551.00006F9400DB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1891781327.00006F940173C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2039346094.000060DC01724000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2032953635.000060DC00B18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034034150.000060DC00D0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
              Source: chrome.exe, 00000014.00000003.1908209635.000060D800188000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search/experiment/2
              Source: chrome.exe, 00000014.00000002.2018289596.000060D80002C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search/experiment/2/springboard
              Source: chrome.exe, 0000000C.00000003.1753380361.00006F9000188000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1753326629.00006F900017C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1908118925.000060D80017C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1908209635.000060D800188000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
              Source: chrome.exe, 0000000C.00000003.1753380361.00006F9000188000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1753326629.00006F900017C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1908118925.000060D80017C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1908209635.000060D800188000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
              Source: chrome.exe, 0000000C.00000002.1866858788.00006F900002C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search/experiment/2/springboardo
              Source: chrome.exe, 00000014.00000003.1908209635.000060D800188000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search/experiments
              Source: chrome.exe, 00000014.00000002.2038630478.000060DC01530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945996688.000060DC01864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://labs.google.com/search?source=ntp
              Source: chrome.exe, 0000000C.00000003.1795258254.00006F9400538000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1795337574.00006F9401404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945251704.000060DC00578000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945353458.000060DC014B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lens.google.com/gen204
              Source: chrome.exe, 00000014.00000003.1909872023.000060D8004D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lens.google.com/v3/upload
              Source: chrome.exe, 00000014.00000003.1908209635.000060D800188000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lens.google.com/v3/upload2
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000000.00000003.1556577656.0000000001342000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000000.00000002.1562412314.0000000001342000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comW
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021728474.000060DC00204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://m.google.com/devicemanagement/data/api
              Source: chrome.exe, 0000000C.00000002.1894201631.00006F9401A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1894618450.00006F9401AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2036232744.000060DC010F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2035282190.000060DC00FBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2037380104.000060DC012B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/
              Source: chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/:
              Source: chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/J
              Source: chrome.exe, 0000000C.00000002.1882698010.00006F94010D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1891904109.00006F9401784000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1892884616.00006F9401870000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1986796316.000060DC01510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2038535217.000060DC01510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945353458.000060DC01510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2030291183.000060DC006AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/download?usp=chrome_default
              Source: chrome.exe, 00000014.00000002.2030291183.000060DC006AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/download?usp=chrome_default(
              Source: chrome.exe, 00000014.00000003.1986796316.000060DC01510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2038535217.000060DC01510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945353458.000060DC01510000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/download?usp=chrome_defaultfault
              Source: chrome.exe, 0000000C.00000002.1891904109.00006F9401784000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/chat/download?usp=chrome_defaultll.html
              Source: chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/:
              Source: chrome.exe, 0000000C.00000002.1868844574.00006F940014C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?t
              Source: chrome.exe, 00000014.00000002.2038630478.000060DC01530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945996688.000060DC01864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=rm&amp;ogbl
              Source: chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
              Source: chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/J
              Source: chrome.exe, 0000000C.00000002.1875597738.00006F9400674000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2030246234.000060DC00690000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
              Source: chrome.exe, 00000014.00000002.2034817453.000060DC00E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://metro.co.uk
              Source: chrome.exe, 0000000C.00000002.1878806892.00006F9400D14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1882698010.00006F94010D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877660316.00006F9400ACC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2038984511.000060DC0168C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2032188102.000060DC00A40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
              Source: chrome.exe, 0000000C.00000002.1878806892.00006F9400D14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1891713271.00006F9401704000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877534197.00006F9400A6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2036344703.000060DC0113C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2032188102.000060DC00A40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034034150.000060DC00D0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
              Source: chrome.exe, 0000000C.00000002.1878806892.00006F9400D14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1891713271.00006F9401704000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877534197.00006F9400A6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2036344703.000060DC0113C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2032188102.000060DC00A40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034034150.000060DC00D0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
              Source: chrome.exe, 0000000C.00000003.1838436013.00006F9401AEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1947740484.000060DC01A04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
              Source: chrome.exe, 0000000C.00000002.1891713271.00006F9401704000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877534197.00006F9400A6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2030710133.000060DC007BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2032188102.000060DC00A40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034034150.000060DC00D0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
              Source: chrome.exe, 00000014.00000002.2033603529.000060DC00C14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myactivity.google.com/
              Source: chrome.exe, 00000014.00000002.2034817453.000060DC00E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nexxen.tech
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021570300.000060DC001F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oauthaccountmanager.googleapis.com/
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021728474.000060DC00204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
              Source: chrome.exe, 00000014.00000002.2036596235.000060DC01194000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1946924002.000060DC01438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945996688.000060DC01864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ogads-pa.clients6.google.com
              Source: chrome.exe, 00000014.00000002.2036344703.000060DC0113C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ogads-pa.clients6.google.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/Ge
              Source: chrome.exe, 00000014.00000002.2039850922.000060DC017AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ogs.google.com
              Source: chrome.exe, 00000014.00000002.2036596235.000060DC01194000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1946924002.000060DC01438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945996688.000060DC01864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
              Source: chrome.exe, 00000014.00000002.2036596235.000060DC01194000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1946924002.000060DC01438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945996688.000060DC01864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ogs.google.com/widget/callout?eom=1
              Source: chrome.exe, 00000014.00000002.2034817453.000060DC00E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://open-bid.com
              Source: chrome.exe, 00000014.00000002.2036344703.000060DC0113C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1984608877.000060DC01AD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2023805866.000060DC003D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1984967233.000060DC01AEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1984672420.000060DC01ADC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1984420211.000060DC01AB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1983236788.000060DC01C87000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2042002336.000060DC01CD6000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2041558225.000060DC01C87000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1984816277.000060DC01AE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2035600170.000060DC01048000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2036754156.000060DC011C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1983440213.000060DC01A6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1984930577.000060DC01AE8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2039494362.000060DC01770000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1984063470.000060DC01A80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1983546867.000060DC01A74000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1984165721.000060DC01A98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2041726616.000060DC01C9C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1983852471.000060DC01A7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1984719572.000060DC01AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
              Source: chrome.exe, 00000014.00000002.2040357031.000060DC01894000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2036754156.000060DC011C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
              Source: chrome.exe, 00000014.00000002.2041243078.000060DC01BC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
              Source: chrome.exe, 0000000C.00000002.1886732666.00006F9401260000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1887073117.00006F94012D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1765042003.00006F9400DB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1881774665.00006F940106C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2036444609.000060DC01170000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
              Source: chrome.exe, 00000014.00000002.2041243078.000060DC01BC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021095422.000060DC00180000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
              Source: chrome.exe, 0000000C.00000002.1886732666.00006F9401260000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1887073117.00006F94012D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1887123406.00006F94012F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1878295150.00006F9400C68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1765042003.00006F9400DB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1881774665.00006F940106C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2036444609.000060DC01170000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2036754156.000060DC011C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2036146947.000060DC010D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
              Source: chrome.exe, 0000000C.00000002.1886732666.00006F9401260000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1887073117.00006F94012D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1887123406.00006F94012F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1765042003.00006F9400DB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2036444609.000060DC01170000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2036754156.000060DC011C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
              Source: chrome.exe, 0000000C.00000002.1887073117.00006F94012D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877030359.00006F9400988000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1765042003.00006F9400DB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2036444609.000060DC01170000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2039494362.000060DC01770000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021728474.000060DC00204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
              Source: chrome.exe, 0000000C.00000003.1795194766.00006F94013C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1795258254.00006F9400538000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1795337574.00006F9401404000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945251704.000060DC00578000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945353458.000060DC014B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945206115.000060DC01494000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/calendar/
              Source: chrome.exe, 0000000C.00000002.1877030359.00006F9400988000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2031543590.000060DC00950000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://passwords.google/
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021570300.000060DC001F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://people.googleapis.com/
              Source: chromecache_201.13.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
              Source: chromecache_205.13.drString found in binary or memory: https://plus.google.com
              Source: chromecache_205.13.drString found in binary or memory: https://plus.googleapis.com
              Source: chrome.exe, 0000000C.00000002.1878339791.00006F9400C80000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1765930482.00006F9401180000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1764910876.00006F94002CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2025351756.000060DC004E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2033603529.000060DC00C14000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://policies.google.com/
              Source: chrome.exe, 00000014.00000002.2034817453.000060DC00E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://postrelease.com
              Source: chrome.exe, 0000000C.00000002.1875981117.00006F9400774000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2030774008.000060DC007F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
              Source: chrome.exe, 0000000C.00000002.1875981117.00006F9400774000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2030774008.000060DC007F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000E.00000003.1799863251.00000000011FF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000E.00000003.1799962227.0000000001208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000E.00000003.1799863251.00000000011FF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000E.00000003.1799962227.0000000001208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
              Source: chrome.exe, 00000014.00000002.2021431380.000060DC001EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
              Source: chrome.exe, 00000014.00000002.2034817453.000060DC00E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://samplicio.us
              Source: chrome.exe, 0000000C.00000002.1878738453.00006F9400CEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sctauditing-pa.g
              Source: chrome.exe, 00000014.00000002.2020717132.000060DC00128000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2020242157.000060DC000A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyA2KlwBX3mkFo30om9LU
              Source: chrome.exe, 0000000C.00000002.1869301762.00006F9400204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1879772085.00006F9400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021728474.000060DC00204000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034436454.000060DC00DE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
              Source: chrome.exe, 0000000C.00000003.1838436013.00006F9401AEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1947740484.000060DC01A04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shieldedids-pa.googleapis.comb
              Source: chrome.exe, 0000000C.00000002.1878042306.00006F9400BC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1878952551.00006F9400DB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1891781327.00006F940173C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2039346094.000060DC01724000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2032953635.000060DC00B18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034034150.000060DC00D0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
              Source: chrome.exe, 00000014.00000002.2038630478.000060DC01530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945996688.000060DC01864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
              Source: chrome.exe, 0000000C.00000002.1875883063.00006F94006E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2030291183.000060DC006AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome?p=desktop_tab_groups
              Source: chrome.exe, 0000000C.00000002.1879772085.00006F9400E48000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034436454.000060DC00DE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t0.gstatic.com/faviconV2
              Source: chrome.exe, 0000000C.00000002.1869230043.00006F94001E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021570300.000060DC001F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tasks.googleapis.com/
              Source: chrome.exe, 00000014.00000002.2034817453.000060DC00E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://torneos.gg
              Source: RegAsm.exe, 0000000B.00000002.2780595853.00000000010BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unbinddas.digital/
              Source: RegAsm.exe, 0000000B.00000002.2780595853.00000000010BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unbinddas.digital/R8
              Source: RegSvcs.exe, 00000006.00000002.2779337501.0000000001247000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2779843925.000000000129F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2779962634.00000000012A6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2780595853.00000000010AB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2781492728.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2780214573.000000000105B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000F.00000002.2779420763.000000000153B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000F.00000002.2779602036.0000000001544000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unbinddas.digital/qwez
              Source: CasPol.exe, 0000000F.00000002.2779602036.000000000155A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unbinddas.digital/qwez1
              Source: RegSvcs.exe, 00000006.00000002.2779962634.00000000012A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unbinddas.digital/qwezA
              Source: CasPol.exe, 0000000F.00000002.2779602036.0000000001544000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unbinddas.digital/qwezC
              Source: RegAsm.exe, 0000000B.00000002.2780595853.00000000010AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unbinddas.digital/qwezE
              Source: RegAsm.exe, 0000000B.00000002.2780595853.00000000010AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unbinddas.digital/qwezN
              Source: CasPol.exe, 0000000F.00000002.2779420763.000000000153B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unbinddas.digital/qwezPR
              Source: RegAsm.exe, 0000000B.00000002.2780595853.00000000010AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unbinddas.digital/qwezW
              Source: RegAsm.exe, 0000000B.00000002.2780214573.000000000105B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unbinddas.digital/qweza
              Source: CasPol.exe, 0000000F.00000002.2779420763.000000000153B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unbinddas.digital/qwezbS
              Source: CasPol.exe, 0000000F.00000002.2779602036.000000000155A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unbinddas.digital/qwezw
              Source: RegAsm.exe, 0000000B.00000002.2780595853.00000000010BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unbinddas.digital/s
              Source: RegAsm.exe, 0000000B.00000002.2781409217.00000000010CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unbinddas.digital:443/qwez
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000E.00000003.1799962227.0000000001208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000000.00000003.1543608679.0000000001372000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website9
              Source: chromecache_205.13.drString found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
              Source: chrome.exe, 0000000C.00000002.1879421248.00006F9400E10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
              Source: chrome.exe, 00000014.00000002.2040040215.000060DC01814000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
              Source: chrome.exe, 00000014.00000002.2034436454.000060DC00DE8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2025351756.000060DC004E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2037422577.000060DC012E7000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2037380104.000060DC012B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2038587990.000060DC01520000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034733642.000060DC00E30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
              Source: chrome.exe, 0000000C.00000002.1891781327.00006F940173C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2039095408.000060DC016B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
              Source: chrome.exe, 0000000C.00000002.1886213668.00006F940119C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2036232744.000060DC010F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/async/newtab_promos
              Source: chrome.exe, 0000000C.00000002.1877030359.00006F9400988000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2031543590.000060DC00950000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/#safe
              Source: chrome.exe, 0000000C.00000002.1877242524.00006F94009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2031487541.000060DC00930000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/browser-features/
              Source: chrome.exe, 0000000C.00000002.1877242524.00006F94009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2031487541.000060DC00930000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/browser-tools/
              Source: chrome.exe, 0000000C.00000002.1878806892.00006F9400D14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1881843067.00006F9401080000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1878042306.00006F9400BC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2032396758.000060DC00AD0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034034150.000060DC00D0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2035282190.000060DC00FBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/tips/
              Source: chrome.exe, 0000000C.00000002.1874897486.00006F9400664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1870255982.00006F9400368000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1876517338.00006F940083C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1879421248.00006F9400E10000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1868973903.00006F940017C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1875883063.00006F94006E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2030090288.000060DC00664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2020967375.000060DC00164000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2035716097.000060DC01070000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2030909397.000060DC00810000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2030291183.000060DC006AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
              Source: chrome.exe, 00000014.00000002.2038630478.000060DC01530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945996688.000060DC01864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&amp;tab=ri&amp;ogbl
              Source: chrome.exe, 00000014.00000003.1945996688.000060DC01864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
              Source: chrome.exe, 0000000C.00000003.1838436013.00006F9401AEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1947740484.000060DC01A04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search
              Source: chrome.exe, 00000014.00000002.2015575121.00000235A3A7D000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com/speech-api/v2/synthesize?enc=mpeg&client=chromium
              Source: chrome.exe, 0000000C.00000002.1875597738.00006F9400674000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2030246234.000060DC00690000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
              Source: chrome.exe, 00000014.00000002.2030246234.000060DC00690000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit26
              Source: chrome.exe, 0000000C.00000002.1875597738.00006F9400674000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit2C
              Source: chrome.exe, 0000000C.00000002.1869230043.00006F94001E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021728474.000060DC00204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/
              Source: chromecache_205.13.drString found in binary or memory: https://www.googleapis.com/auth/plus.me
              Source: chromecache_205.13.drString found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
              Source: chrome.exe, 0000000C.00000003.1838436013.00006F9401AEC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1947740484.000060DC01A04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
              Source: chrome.exe, 0000000C.00000002.1869230043.00006F94001E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021570300.000060DC001F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
              Source: chrome.exe, 0000000C.00000002.1869230043.00006F94001E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021570300.000060DC001F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
              Source: chrome.exe, 0000000C.00000002.1869230043.00006F94001E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021570300.000060DC001F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v4/token
              Source: chrome.exe, 0000000C.00000002.1869230043.00006F94001E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021570300.000060DC001F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
              Source: chrome.exe, 00000014.00000002.2040040215.000060DC01814000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
              Source: chrome.exe, 00000014.00000002.2040040215.000060DC01814000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
              Source: chrome.exe, 00000014.00000002.2030909397.000060DC00810000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
              Source: chromecache_201.13.drString found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
              Source: chromecache_201.13.drString found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
              Source: chromecache_201.13.drString found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
              Source: chrome.exe, 00000014.00000002.2040454499.000060DC01924000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
              Source: chrome.exe, 0000000C.00000003.1795533808.00006F940033D000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1893000797.00006F9401920000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1797382098.00006F9401958000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1796949093.00006F9401474000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1797008430.00006F94018D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1796860332.00006F94018B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1944648134.000060DC01704000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945671689.000060DC01874000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1946879238.000060DC01974000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1947125286.000060DC01944000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1946840006.000060DC0196C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2040454499.000060DC01924000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
              Source: chrome.exe, 00000014.00000002.2036596235.000060DC01194000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1946924002.000060DC01438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945996688.000060DC01864000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2021095422.000060DC00180000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.jqdIqvbJp8E.2019.O/rt=j/m=q_dnp
              Source: chrome.exe, 00000014.00000002.2036596235.000060DC01194000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1946924002.000060DC01438000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945996688.000060DC01864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.9A4Zhe6nQ4Q.L.W.O/m=qmd
              Source: chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/:
              Source: chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?feature=ytca
              Source: chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/J
              Source: chrome.exe, 0000000C.00000002.1875597738.00006F9400674000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1879682151.00006F9400E38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2030246234.000060DC00690000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034279065.000060DC00D98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
              Source: chrome.exe, 00000014.00000002.2034817453.000060DC00E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://yieldlab.net
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
              Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
              Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
              Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
              Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
              Source: unknownNetwork traffic detected: HTTP traffic on port 49681 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
              Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49681
              Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
              Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
              Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
              Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
              Source: unknownHTTPS traffic detected: 104.192.142.25:443 -> 192.168.2.6:49684 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 3.5.21.193:443 -> 192.168.2.6:49685 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.192.142.25:443 -> 192.168.2.6:49686 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49687 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49691 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49694 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49699 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.192.142.25:443 -> 192.168.2.6:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.192.142.26:443 -> 192.168.2.6:49725 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49728 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49739 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49740 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49741 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49742 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49743 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49744 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49757 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49770 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49771 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49772 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49773 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49774 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49776 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.172.163:443 -> 192.168.2.6:49777 version: TLS 1.2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_03391000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GetClipboardSequenceNumber,GlobalAlloc,GlobalLock,GetClipboardSequenceNumber,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,GetClipboardSequenceNumber,Sleep,CloseClipboard,GetClipboardSequenceNumber,6_2_03391000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_03391000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GetClipboardSequenceNumber,GlobalAlloc,GlobalLock,GetClipboardSequenceNumber,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,GetClipboardSequenceNumber,Sleep,CloseClipboard,GetClipboardSequenceNumber,6_2_03391000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_03361000 Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,11_2_03361000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_036D1000 Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,15_2_036D1000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_03391000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GetClipboardSequenceNumber,GlobalAlloc,GlobalLock,GetClipboardSequenceNumber,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,GetClipboardSequenceNumber,Sleep,CloseClipboard,GetClipboardSequenceNumber,6_2_03391000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00421D30 CreateDesktopW,11_2_00421D30
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002A65100_2_002A6510
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002A6A000_2_002A6A00
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002EA0100_2_002EA010
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002A20F00_2_002A20F0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002F83A80_2_002F83A8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002E15B50_2_002E15B5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002E75DE0_2_002E75DE
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002F18E40_2_002F18E4
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002F6A2B0_2_002F6A2B
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002E2E200_2_002E2E20
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002A4F300_2_002A4F30
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 3_2_00AB20F03_2_00AB20F0
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 3_2_00AB65103_2_00AB6510
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 3_2_00AB6A003_2_00AB6A00
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 3_2_00AB4F303_2_00AB4F30
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 3_2_00AFA0103_2_00AFA010
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 3_2_00B083A83_2_00B083A8
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 3_2_00AF15B53_2_00AF15B5
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 3_2_00AF75DE3_2_00AF75DE
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 3_2_00B018E43_2_00B018E4
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 3_2_00B06A2B3_2_00B06A2B
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 3_2_00AF2E203_2_00AF2E20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040B2706_2_0040B270
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004180006_2_00418000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004300006_2_00430000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004508A06_2_004508A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041234F6_2_0041234F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040D97E6_2_0040D97E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004157B26_2_004157B2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402E006_2_00402E00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004150006_2_00415000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004500006_2_00450000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00430E0D6_2_00430E0D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409C106_2_00409C10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040FA106_2_0040FA10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00403E246_2_00403E24
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00408E306_2_00408E30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040E6C06_2_0040E6C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040BEE06_2_0040BEE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004040826_2_00404082
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004076A06_2_004076A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004088A06_2_004088A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00403F1A6_2_00403F1A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00403F3A6_2_00403F3A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040E5F06_2_0040E5F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004023806_2_00402380
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004083906_2_00408390
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040C5906_2_0040C590
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004307946_2_00430794
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004037A06_2_004037A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_033911E06_2_033911E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0042C16611_2_0042C166
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0042863011_2_00428630
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00422D6C11_2_00422D6C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041DBCF11_2_0041DBCF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_004205D011_2_004205D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041E9DB11_2_0041E9DB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0042247F11_2_0042247F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041C61611_2_0041C616
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00425A9011_2_00425A90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0042749111_2_00427491
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041FC9A11_2_0041FC9A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0042314411_2_00423144
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0042957011_2_00429570
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041B90811_2_0041B908
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0042491011_2_00424910
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00428F1011_2_00428F10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041E7D411_2_0041E7D4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_00423D8211_2_00423D82
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041CB9C11_2_0041CB9C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0041A5AB11_2_0041A5AB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_0045149011_2_00451490
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 11_2_033611E011_2_033611E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0044602015_2_00446020
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0044D03C15_2_0044D03C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0044E9B015_2_0044E9B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0044AA5315_2_0044AA53
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0044CB4215_2_0044CB42
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0043754515_2_00437545
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0044EF0015_2_0044EF00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0043F0C815_2_0043F0C8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0043789715_2_00437897
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0043996C15_2_0043996C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0043997215_2_00439972
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0044410715_2_00444107
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_004349FB15_2_004349FB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_00434A1B15_2_00434A1B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0044C2E415_2_0044C2E4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0043B37015_2_0043B370
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_00433C5415_2_00433C54
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_00444C7115_2_00444C71
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_00438C0215_2_00438C02
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0043DC2615_2_0043DC26
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0043E4E015_2_0043E4E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0043BC8915_2_0043BC89
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0044554015_2_00445540
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_00440D1015_2_00440D10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0044DD3715_2_0044DD37
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_004335E015_2_004335E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0043859A15_2_0043859A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0043FE7115_2_0043FE71
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_00438ECD15_2_00438ECD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_00432F4815_2_00432F48
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0043C75F15_2_0043C75F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0043BFC115_2_0043BFC1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0043678015_2_00436780
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_004407A015_2_004407A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_004457A015_2_004457A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_004317AB15_2_004317AB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0041100015_2_00411000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_00411E0F15_2_00411E0F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_036D11E015_2_036D11E0
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: String function: 00AF1930 appears 51 times
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: String function: 002E1930 appears 51 times
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@65/63@20/11
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_00446020 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,GetVolumeInformationW,15_2_00446020
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\chicos[1].pdfJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMutant created: \Sessions\1\BaseNamedObjects\AutoStartupInstanceMutex
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeFile created: C:\Users\user\AppData\Local\Temp\chicos.pdfJump to behavior
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: chrome.exe, 0000000C.00000002.1877504396.00006F9400A63000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2034034150.000060DC00D45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeVirustotal: Detection: 28%
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeReversingLabs: Detection: 19%
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe"
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\chicos.pdf"
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeProcess created: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe "C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe"
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2232 --field-trial-handle=1568,i,3161660524904060145,7389112258503054530,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe "C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe"
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2296,i,6470514897906357561,16771571558271780374,262144 --variations-seed-version --mojo-platform-channel-handle=2256 /prefetch:3
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe "C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe"
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2436,i,18332296753667315141,5140261838621725838,262144 --variations-seed-version --mojo-platform-channel-handle=2528 /prefetch:3
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\chicos.pdf"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeProcess created: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe "C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe" Jump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2232 --field-trial-handle=1568,i,3161660524904060145,7389112258503054530,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2296,i,6470514897906357561,16771571558271780374,262144 --variations-seed-version --mojo-platform-channel-handle=2256 /prefetch:3
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2436,i,18332296753667315141,5140261838621725838,262144 --variations-seed-version --mojo-platform-channel-handle=2528 /prefetch:3
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: wininet.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: iertutil.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: winhttp.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: mswsock.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: dpapi.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: msasn1.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: gpapi.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: urlmon.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: srvcli.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: netutils.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: dnsapi.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: rasadhlp.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: fwpuclnt.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: schannel.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: mskeyprotect.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: ntasn1.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: ncrypt.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: ncryptsslp.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: apphelp.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: wininet.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: iertutil.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: winhttp.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: mswsock.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: dpapi.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: msasn1.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: gpapi.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: urlmon.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: srvcli.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: netutils.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: dnsapi.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: rasadhlp.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: fwpuclnt.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: schannel.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: mskeyprotect.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: ntasn1.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: ncrypt.dll
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeSection loaded: ncryptsslp.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: windows.storage.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wldp.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winhttp.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: webio.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mswsock.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winnsi.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: sspicli.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dnsapi.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: schannel.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mskeyprotect.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ntasn1.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ncrypt.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ncryptsslp.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: msasn1.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rsaenh.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptbase.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: gpapi.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dpapi.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: uxtheme.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: amsi.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: userenv.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: profapi.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: version.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002A4760 LoadLibraryA,GetProcAddress,FreeLibrary,0_2_002A4760
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002E13DC push ecx; ret 0_2_002E13EF
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002AC786 pushad ; iretd 0_2_002AC78D
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 3_2_00AF13DC push ecx; ret 3_2_00AF13EF
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 3_2_00ABC786 pushad ; iretd 3_2_00ABC78D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00450DFD pushfd ; ret 6_2_00450E05
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 10_2_00EFCBD0 push esp; iretd 10_2_00EFCBD1
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 14_2_00EF99E8 push es; ret 14_2_00EF99E9
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002A6A00 GetTempPathA,GetFileAttributesA,LoadLibraryA,LoadLibraryA,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,FreeLibrary,URLDownloadToFileA,FreeLibrary,FreeLibrary,FreeLibrary,ShellExecuteA,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,std::ios_base::_Ios_base_dtor,0_2_002A6A00
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeFile created: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeJump to dropped file
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AutoStartAppJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AutoStartAppJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002A20F0 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,FreeLibrary,0_2_002A20F0
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
              Query firmware table information (likely to detect VMs)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: FirmwareTableInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSystem information queried: FirmwareTableInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 6001Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 5099
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 4239
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7940Thread sleep time: -210000s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5388Thread sleep count: 5099 > 30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8576Thread sleep time: -240000s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 6980Thread sleep count: 4239 > 30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002F4633 FindFirstFileExW,0_2_002F4633
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 3_2_00B04633 FindFirstFileExW,3_2_00B04633
              Source: chrome.exe, 00000014.00000002.2039346094.000060DC01724000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 0000000A.00000002.2777499558.0000000000F42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
              Source: chrome.exe, 00000014.00000003.1948115683.00000235A2C09000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945255844.00000235A2BF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4
              Source: chrome.exe, 0000000C.00000002.1862599243.00000185AD7B7000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000002.1862444650.00000185AD760000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2010756668.000002359F0A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service
              Source: RegSvcs.exe, 00000006.00000002.2779337501.0000000001247000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWq
              Source: chrome.exe, 0000000C.00000003.1798771411.00000185AD851000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instruct
              Source: chrome.exe, 0000000C.00000003.1798680945.00000185AD844000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flus
              Source: chrome.exe, 0000000C.00000002.1860256800.00000185AAFAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V jlwrugvwdbkodxx Bus
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000000.00000003.1556577656.0000000001362000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000000.00000002.1562412314.0000000001300000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000000.00000002.1562412314.0000000001362000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000000.00000003.1556577656.000000000130A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000003.00000002.2777921635.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000003.00000003.1599107352.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000003.00000003.1599107352.00000000014D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000003.00000002.2777921635.0000000001460000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
              Source: chrome.exe, 00000014.00000002.2010756668.000002359EFE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Hypervisor Root Partitionq
              Source: RegAsm.exe, 0000000B.00000002.2780098970.000000000104E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWi
              Source: chrome.exe, 00000014.00000002.2037051642.000060DC01214000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=473d94b3-610c-4140-b992-f91c2634531b
              Source: chrome.exe, 00000014.00000002.2013310729.00000235A2B80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partition
              Source: chrome.exe, 0000000C.00000003.1800159967.00000185AD8CF000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1790441470.00000185AD8C0000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1792181089.00000185AD8D5000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1947602729.00000235A2CA5000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1944944060.00000235A2C8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Tr
              Source: chrome.exe, 0000000C.00000002.1853094589.00000185A7385000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
              Source: chrome.exe, 0000000C.00000002.1860256800.00000185AAF70000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2013310729.00000235A2B46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partition
              Source: chrome.exe, 00000014.00000002.2013310729.00000235A2B80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisoriz*Zx
              Source: chrome.exe, 0000000C.00000002.1862599243.00000185AD7B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
              Source: chrome.exe, 0000000C.00000003.1792275673.00000185AD883000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1791132076.00000185AD883000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ion3218Out - Teredo Bubble3220Out - Teredo Data3222In - Teredo Data User Mode3224In - Teredo Data Kernel Mode3226Out - Teredo Data User Mode3228Out - Teredo Data Kernel Mode6468Hyper-V Dynamic Memory Integration Service6470Maximum Memory, Mbytes1848Bluetooth Radio1850Classic ACL bytes written/sec1852LE ACL bytes written/sec1854SCO bytes written/sec1856Classic ACL bytes read/sec1858LE ACL bytes read/sec1860SCO bytes read/sec1862Classic ACL Connections1864LE ACL Connections1866SCO Connections1868Sideband SCO Connections1870ACL flush events/sec1872LE ACL write credits1874Classic ACL write credits1876LE Scan Duty Cycle (%) - Uncoded 1M Phy1878LE Scan Window - Uncoded 1M Phy1880LE Scan Interval - Uncoded 1M Phy1882Page Scan Duty Cycle (%)1884Page Scan Window1886Page Scan Interval1888Inquiry Scan Duty Cycle (%)1890Inquiry Scan Window1892Inquiry Scan Interval1894LE Scan Duty Cycle (%) - Coded Phy1896LE Scan Window - Coded Phy1898LE Scan Interval - Coded Phy1900Bluetooth Device1902Classic ACL bytes written/sec1904LE ACL bytes written/sec1906SCO bytes written/sec1908Classic ACL bytes read/sec1910LE ACL bytes read/sec1912SCO bytes read/sec3814ServiceModelService 4.0.0.03816Calls^^
              Source: chrome.exe, 00000014.00000002.2010756668.000002359EFE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical ProcessorQq
              Source: chrome.exe, 0000000C.00000002.1862599243.00000185AD7B7000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2013310729.00000235A2B80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
              Source: chrome.exe, 00000014.00000002.2010756668.000002359EFE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipesc
              Source: chrome.exe, 0000000C.00000002.1862599243.00000185AD7B7000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2013310729.00000235A2B46000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2013310729.00000235A2B80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipes
              Source: chrome.exe, 0000000C.00000002.1862599243.00000185AD7B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration ServicetM
              Source: chrome.exe, 0000000C.00000003.1790591650.00000185AD84F000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1792441151.00000185AD85E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequenc
              Source: chrome.exe, 0000000C.00000002.1860256800.00000185AAFAF000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2010756668.000002359EFE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor
              Source: chrome.exe, 0000000C.00000002.1862808728.00000185AD8CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ::$DATA6Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Tr
              Source: chrome.exe, 00000014.00000002.2010756668.000002359EFE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partitionuipp
              Source: chrome.exe, 0000000C.00000002.1862599243.00000185AD7B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Hyper-V VM Vid PartitionlllX4
              Source: chrome.exe, 00000014.00000003.1947713766.00000235A2C6E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945014070.00000235A2C6E000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1946118564.00000235A2C6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle C
              Source: chrome.exe, 0000000C.00000003.1792312150.00000185AD882000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000000C.00000003.1790526314.00000185AD871000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822
              Source: chrome.exe, 00000014.00000003.1946661716.00000235A2BBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ns4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated I
              Source: chrome.exe, 00000014.00000002.2010756668.000002359EFE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Virtual Machine Bus Pipesl
              Source: chrome.exe, 0000000C.00000002.1860256800.00000185AAFAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root PartitionultlB
              Source: chrome.exe, 0000000C.00000002.1860256800.00000185AAF70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partitionll
              Source: chrome.exe, 0000000C.00000002.1862599243.00000185AD7B7000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2010756668.000002359F0C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Virtual Processor
              Source: chrome.exe, 0000000C.00000002.1862599243.00000185AD7B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processorc.sys$M
              Source: chrome.exe, 00000014.00000002.2039395461.000060DC01744000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Virtual USB Mouse
              Source: chrome.exe, 0000000C.00000002.1860256800.00000185AAFAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Hypervisor Root Partitionult
              Source: chrome.exe, 00000014.00000003.1946610609.00000235A2BEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: In - Teredo Data Kernel Mode3226Out - Teredo Data User Mode3228Out - Teredo Data Kernel Mode6468Hyper-V Dynamic Memory Integration Service6470Maximum Memory, Mbytes1848Bluetooth Radio1850Classic ACL bytes written/sec1852LE ACL bytes written/sec1854SCO bytes written/sec1856Classic ACL bytes read/sec1858LE ACL bytes read/sec1860SCO bytes read/sec1862Classic ACL Connections1864LE ACL Connections1866SCO Connections1868Sideband SCO Connections1870ACL flush events/sec1872LE ACL write credits1874Classic ACL write credits1876LE Scan Duty Cycle (%) - Uncoded 1M Phy1878LE Scan Window - Uncoded 1M Phy1880LE Scan Interval - Uncoded 1M Phy1882Page Scan Duty Cycle (%)1884Page Scan Window1886Page Scan Interval1888Inquiry Scan Duty Cycle (%)1890Inquiry Scan Window1892Inquiry Scan Interval1894LE Scan Duty Cycle (%) - Coded Phy1896LE Scan Window - Coded Phy1898LE Scan Interval - Coded Phy1900Bluetooth Device1902Classic ACL bytes written/sec1904LE ACL bytes written/sec1906SCO bytes written/sec1908Classic ACL bytes read/sec1910LE ACL bytes read/sec1912SCO bytes read/sec3814ServiceModelService 4.0.0.03816Calls^^
              Source: chrome.exe, 0000000C.00000002.1862599243.00000185AD7B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid Partitiondll
              Source: chrome.exe, 00000014.00000002.2013310729.00000235A2B80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partitionl
              Source: chrome.exe, 0000000C.00000002.1862599243.00000185AD7B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V jlwrugvwdbkodxx Bus Pipes/J
              Source: chrome.exe, 0000000C.00000002.1862599243.00000185AD7B7000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2013310729.00000235A2B80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor
              Source: chrome.exe, 0000000C.00000002.1860256800.00000185AAFAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processor
              Source: CasPol.exe, 0000000F.00000002.2777919014.00000000014AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
              Source: chrome.exe, 00000014.00000002.2010756668.000002359F0B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Virtual ProcessorfK
              Source: chrome.exe, 0000000C.00000003.1791486302.00000185AD83E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Ref
              Source: chrome.exe, 0000000C.00000002.1862599243.00000185AD7B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisor
              Source: chrome.exe, 00000014.00000003.1946661716.00000235A2BC5000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1948416255.00000235A2BC3000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945432790.00000235A2BBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Ro
              Source: chrome.exe, 0000000C.00000002.1862599243.00000185AD7B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partition~
              Source: chrome.exe, 0000000C.00000002.1860256800.00000185AAFAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Virtual Machine Bus Pipesult C
              Source: chrome.exe, 00000014.00000003.1914594188.000060DC00370000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware20,1(
              Source: chrome.exe, 0000000C.00000002.1853094589.00000185A73B0000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2013310729.00000235A2B46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisor
              Source: chrome.exe, 00000014.00000003.1948416255.00000235A2BC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ssions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instruct
              Source: chrome.exe, 00000014.00000002.2010756668.000002359F0B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration ServiceDK*{
              Source: chrome.exe, 00000014.00000002.2013310729.00000235A2B80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration ServiceZ+;x
              Source: SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000000.00000002.1562412314.0000000001300000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe, 00000000.00000003.1556577656.000000000130A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`E1
              Source: CasPol.exe, 0000000F.00000002.2778999549.00000000014E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: chrome.exe, 00000014.00000002.2010756668.000002359F0C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration ServiceUD>{
              Source: chrome.exe, 00000014.00000002.2009963062.000002359B4E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: chrome.exe, 0000000C.00000002.1860256800.00000185AAF61000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partitionll:
              Source: chrome.exe, 0000000C.00000003.1800382392.00000185AD854000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTouVMWare
              Source: chrome.exe, 00000014.00000002.2010756668.000002359F0C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processor.sys
              Source: chrome.exe, 00000014.00000002.2013310729.00000235A2B46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Hyper-V VM Vid Partitionmun
              Source: chrome.exe, 00000014.00000002.2013310729.00000235A2B80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processord[
              Source: chrome.exe, 00000014.00000002.2010756668.000002359F080000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partitionll}
              Source: chrome.exe, 0000000C.00000002.1860256800.00000185AAF80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor{t
              Source: chrome.exe, 0000000C.00000003.1802059372.00000185AD8CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rkflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Tr
              Source: chrome.exe, 0000000C.00000002.1862599243.00000185AD7B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipesl
              Source: chrome.exe, 00000014.00000002.2010756668.000002359F0C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V jlwrugvwdbkodxx Bus0B
              Source: chrome.exe, 0000000C.00000003.1792648970.00000185AD81C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
              Source: chrome.exe, 0000000C.00000003.1792648970.00000185AD81C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions CostleFa
              Source: chrome.exe, 00000014.00000003.1946238846.00000235A2C3A000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945110017.00000235A2C3A000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1947866797.00000235A2C3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/
              Source: chrome.exe, 00000014.00000002.2010756668.000002359F0B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processor.mui
              Source: chrome.exe, 00000014.00000002.2013310729.00000235A2B80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V jlwrugvwdbkodxx Bus Pipes
              Source: chrome.exe, 0000000C.00000002.1862599243.00000185AD7B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processormui~M
              Source: chrome.exe, 0000000C.00000002.1862599243.00000185AD7B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Virtual ProcessorlM
              Source: chrome.exe, 0000000C.00000002.1853094589.00000185A73B0000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1956368835.00000235A2C57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
              Source: chrome.exe, 0000000C.00000002.1886489423.00006F94011E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=74562a82-e6a5-4bf4-ad78-c6ea8b432d7c
              Source: chrome.exe, 0000000C.00000002.1860256800.00000185AAFAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipesult
              Source: chrome.exe, 0000000C.00000002.1862599243.00000185AD7B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processord
              Source: chrome.exe, 0000000C.00000002.1860256800.00000185AAF80000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000014.00000002.2013310729.00000235A2B46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor
              Source: chrome.exe, 0000000C.00000002.1862599243.00000185AD7B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l Sessions4806Hyper-V Hypervisor Logical P=
              Source: chrome.exe, 00000014.00000002.2010756668.000002359F0C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTntVMWare
              Source: chrome.exe, 00000014.00000003.1946272624.00000235A2C38000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000014.00000003.1945160005.00000235A2C21000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active
              Source: chrome.exe, 00000014.00000003.1946758021.000002359F0D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5068Address Space Switches/sec5070Address Domain Flushes/sec5072Address Space Flushes/sec5074Global GVA Range Flushes/sec5076Local Flushed GVA Ranges/sec5078Page Table Evictions/sec5080Page Table Reclamations/sec5082Page Table Resets/sec
              Source: chrome.exe, 00000014.00000002.2013310729.00000235A2B46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid Partition.dll
              Source: chrome.exe, 0000000C.00000003.1791512896.00000185AD81C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flus
              Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 15_2_0044C8A0 LdrInitializeThunk,15_2_0044C8A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002E9131 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_002E9131
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002A4760 LoadLibraryA,GetProcAddress,FreeLibrary,0_2_002A4760
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002E9131 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_002E9131
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002E1985 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_002E1985
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002E1CD9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_002E1CD9
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 3_2_00AF9131 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00AF9131
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 3_2_00AF1985 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00AF1985
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 3_2_00AF1CD9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00AF1CD9

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Allocates memory in foreign processes
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 protect: page execute and read and write
              Contains functionality to inject code into remote processes
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 3_2_00AB20F0 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,FreeLibrary,FreeLibrary,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetOpenA,InternetOpenUrlA,FreeLibrary,InternetReadFile,InternetReadFile,FreeLibrary,3_2_00AB20F0
              Injects a PE file into a foreign processes
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A
              Writes to foreign memory regions
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 453000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 456000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 464000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: CE1008Jump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 453000
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 456000
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 464000
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D08008
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 453000
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 456000
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 464000
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: E5A008
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\chicos.pdf"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeProcess created: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe "C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe" Jump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: EnumSystemLocalesW,0_2_002F7221
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: EnumSystemLocalesW,0_2_002F726C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: EnumSystemLocalesW,0_2_002F7307
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_002F7392
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: GetLocaleInfoW,0_2_002F75E5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: EnumSystemLocalesW,0_2_002F06DA
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_002F770E
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: GetLocaleInfoW,0_2_002F7814
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_002F78EA
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: GetLocaleInfoW,0_2_002F0BA9
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_002F6F75
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: EnumSystemLocalesW,3_2_00B07221
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: EnumSystemLocalesW,3_2_00B0726C
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_00B07392
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: EnumSystemLocalesW,3_2_00B07307
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: GetLocaleInfoW,3_2_00B075E5
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: EnumSystemLocalesW,3_2_00B006DA
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_00B0770E
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_00B078EA
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: GetLocaleInfoW,3_2_00B07814
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: GetLocaleInfoW,3_2_00B00BA9
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,3_2_00B06F75
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002E8778 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,0_2_002E8778
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeCode function: 0_2_002A6280 VirtualQuery,VirtualAlloc,VirtualProtect,VirtualProtect,VirtualProtect,GetVersionExW,GetCurrentProcess,FlushInstructionCache,VirtualFree,0_2_002A6280
              Source: C:\Users\user\AppData\Roaming\SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: RegSvcs.exe, 00000006.00000002.2779577685.0000000001290000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2779181846.0000000001045000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2779181846.0000000001031000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2780929751.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2780475244.00000000010A6000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000F.00000002.2780300328.0000000001563000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000000F.00000002.2779602036.000000000155A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: 0000000B.00000002.2783206644.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7920, type: MEMORYSTR
              Source: Yara matchFile source: 0000000A.00000003.1727265327.0000000003871000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2782206486.0000000003CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.1800206145.00000000039E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2781644555.0000000003BB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.2781289023.00000000038F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2780291732.00000000039E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2780932977.0000000003B80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2781290001.0000000003B30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.2781772954.0000000003A10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6732, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdliaogehgdbhbnmkklieghmmjkpigpa
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
              Tries to harvest and steal ftp login credentials
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfo
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\FTPbox
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\FTPRush
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetter
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTP
              Tries to steal Crypto Currency Wallets
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Binance
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\GLTYDMDUSTJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\GLTYDMDUSTJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIUJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIUJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQLJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKCJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\GLTYDMDUST
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\GLTYDMDUST
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SQSJKEBWDT
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SQSJKEBWDT
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEH
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEH
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\QCOILOQIKC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SQSJKEBWDT
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SQSJKEBWDT
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SQSJKEBWDT
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SQSJKEBWDT
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFW
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\Documents
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\Documents
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZG
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZG
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQL
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQL
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU

              Remote Access Functionality

              barindex
              Attempt to bypass Chrome Application-Bound Encryption
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9203
              Yara detected LummaC Stealer
              Source: Yara matchFile source: 0000000B.00000002.2783206644.0000000003540000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7920, type: MEMORYSTR
              Source: Yara matchFile source: 0000000A.00000003.1727265327.0000000003871000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2782206486.0000000003CD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.1800206145.00000000039E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2781644555.0000000003BB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.2781289023.00000000038F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2780291732.00000000039E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2780932977.0000000003B80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2781290001.0000000003B30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.2781772954.0000000003A10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6732, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		2
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		12
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Native API              		1
              Create Account              		1
              Extra Window Memory Injection              		3
              Obfuscated Files or Information              		LSASS Memory12
              File and Directory Discovery              		Remote Desktop Protocol31
              Data from Local System              		21
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt1
              Registry Run Keys / Startup Folder              		411
              Process Injection              		1
              DLL Side-Loading              		Security Account Manager34
              System Information Discovery              		SMB/Windows Admin Shares3
              Clipboard Data              		1
              Remote Access Software              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              Registry Run Keys / Startup Folder              		1
              Extra Window Memory Injection              		NTDS1
              Query Registry              		Distributed Component Object ModelInput Capture3
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Masquerading              		LSA Secrets331
              Security Software Discovery              		SSHKeylogging14
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
              Virtualization/Sandbox Evasion              		Cached Domain Credentials21
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items411
              Process Injection              		DCSync1
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1663544 Sample: SecuriteInfo.com.Trojan.Heu... Startdate: 11/04/2025 Architecture: WINDOWS Score: 100 49 unbinddas.digital 2->49 51 x1.i.lencr.org 2->51 53 7 other IPs or domains 2->53 99 Found malware configuration 2->99 101 Multi AV Scanner detection for submitted file 2->101 103 Yara detected LummaC Stealer 2->103 105 3 other signatures 2->105 9 SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe 3 18 2->9         started        13 SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe 2->13         started        16 SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe 2->16         started        signatures3 process4 dnsIp5 65 bitbucket.org 104.192.142.25, 443, 49684, 49686 AMAZON-AESUS United States 9->65 67 s3-w.us-east-1.amazonaws.com 3.5.21.193, 443, 49685 AMAZON-AESUS United States 9->67 45 SecuriteInfo.com.T...3uBfc.2836.5163.exe, PE32 9->45 dropped 47 SecuriteInfo.com.T...exe:Zone.Identifier, ASCII 9->47 dropped 18 SecuriteInfo.com.Trojan.Heur.TP.RuW@bOo3uBfc.2836.5163.exe 1 13 9->18         started        21 Acrobat.exe 72 9->21         started        69 104.192.142.26, 443, 49725 AMAZON-AESUS United States 13->69 107 Writes to foreign memory regions 13->107 109 Allocates memory in foreign processes 13->109 111 Injects a PE file into a foreign processes 13->111 23 CasPol.exe 13->23         started        25 RegAsm.exe 16->25         started        file6 signatures7 process8 dnsIp9 79 Multi AV Scanner detection for dropped file 18->79 81 Contains functionality to inject code into remote processes 18->81 83 Writes to foreign memory regions 18->83 97 2 other signatures 18->97 28 RegSvcs.exe 18->28         started        32 AcroCEF.exe 102 21->32         started        85 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->85 87 Query firmware table information (likely to detect VMs) 23->87 89 Tries to harvest and steal ftp login credentials 23->89 91 Tries to harvest and steal browser information (history, passwords, etc) 23->91 34 chrome.exe 23->34         started        71 127.0.0.1 unknown unknown 25->71 93 Attempt to bypass Chrome Application-Bound Encryption 25->93 95 Tries to steal Crypto Currency Wallets 25->95 36 chrome.exe 25->36         started        signatures10 process11 dnsIp12 73 unbinddas.digital 172.67.172.163, 443, 49687, 49691 CLOUDFLARENETUS United States 28->73 113 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->113 115 Tries to harvest and steal browser information (history, passwords, etc) 28->115 117 Tries to steal Crypto Currency Wallets 28->117 75 e8652.dscx.akamaiedge.net 23.216.73.76, 49693, 80 AKAMAI-ASN1EU United States 32->75 38 AcroCEF.exe 2 32->38         started        40 chrome.exe 34->40         started        77 192.168.2.6, 138, 443, 49667 unknown unknown 36->77 43 chrome.exe 36->43         started        signatures13 process14 dnsIp15 55 173.194.219.104, 443, 49749, 49752 GOOGLEUS United States 40->55 57 ogads-pa.clients6.google.com 40->57 59 www.google.com 142.250.105.106, 443, 49714, 49717 GOOGLEUS United States 43->59 61 plus.l.google.com 64.233.185.113, 443, 49727 GOOGLEUS United States 43->61 63 3 other IPs or domains 43->63

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.