Edit tour

Windows Analysis Report
hX2c2UOBSX.exe

Overview

General Information

Sample name:	hX2c2UOBSX.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:	2025-02-05_99b271b7177504f779a2fdc07ce4ec15_frostygoop_poet-rat_snatch
Analysis ID:	1608410
MD5:	99b271b7177504f779a2fdc07ce4ec15
SHA1:	d68b00add23513c61cecc7b77767744555041380
SHA256:	3defc89a9190f7ba4474aaa8fb3f5a738a721dc1999ac6f71d438cdceadb20e7
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Attempt to bypass Chrome Application-Bound Encryption

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Vidar stealer

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Monitors registry run keys for changes

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Browser Started with Remote Debugging

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

hX2c2UOBSX.exe (PID: 6720 cmdline: "C:\Users\user\Desktop\hX2c2UOBSX.exe" MD5: 99B271B7177504F779A2FDC07CE4EC15)

BitLockerToGo.exe (PID: 3524 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

chrome.exe (PID: 1644 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2508 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 --field-trial-handle=2352,i,12889563372584543830,4112607427358545807,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

msedge.exe (PID: 7728 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7984 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2520 --field-trial-handle=2540,i,2978208474614954716,5468378796745314197,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

cmd.exe (PID: 3196 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" & rd /s /q "C:\ProgramData\wt000" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 3872 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

msedge.exe (PID: 7968 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7340 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2672 --field-trial-handle=2084,i,4349758898381400931,1592003162403205236,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 1568 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6844 --field-trial-handle=2084,i,4349758898381400931,1592003162403205236,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 3504 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7008 --field-trial-handle=2084,i,4349758898381400931,1592003162403205236,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5688 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=2932 --field-trial-handle=2084,i,4349758898381400931,1592003162403205236,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199824159981", "Botnet": "a110mgz"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2335076897.0000000009F00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2335076897.0000000009F00000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
00000000.00000002.2335096406.000000000A0FA000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2335096406.000000000A0FA000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
00000000.00000003.2282462028.0000000009F00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000003.2282462028.0000000009F00000.00000004.00001000.00020000.00000000.sdmp	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
00000003.00000003.2380240783.00000000027C4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000003.2281700446.000000000A016000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000003.00000002.3078403678.00000000027B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2266906038.000000000A0EA000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000003.2393340952.00000000027C5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: hX2c2UOBSX.exe PID: 6720	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 3524	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 3524	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.3.hX2c2UOBSX.exe.9f00000.3.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1917f:$str01: MachineID: 0x19227:$str03: [Hardware] 0x19168:$str04: VideoCard: 0x188c0:$str05: [Processes] 0x188cc:$str06: [Software] 0x18ebc:$str08: %s\* 0x18f09:$str08: %s\* 0x183fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x18792:$str12: UseMasterPassword 0x19233:$str13: Soft: WinSCP 0x18c6b:$str14: <Pass encoding="base64"> 0x19216:$str15: Soft: FileZilla 0x187bd:$str17: build_id 0x18884:$str18: file_data
0.3.hX2c2UOBSX.exe.9f20000.2.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1917f:$str01: MachineID: 0x19227:$str03: [Hardware] 0x19168:$str04: VideoCard: 0x188c0:$str05: [Processes] 0x188cc:$str06: [Software] 0x18ebc:$str08: %s\* 0x18f09:$str08: %s\* 0x183fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x18792:$str12: UseMasterPassword 0x19233:$str13: Soft: WinSCP 0x18c6b:$str14: <Pass encoding="base64"> 0x19216:$str15: Soft: FileZilla 0x187bd:$str17: build_id 0x18884:$str18: file_data
0.2.hX2c2UOBSX.exe.a0fa000.2.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1917f:$str01: MachineID: 0x19227:$str03: [Hardware] 0x19168:$str04: VideoCard: 0x188c0:$str05: [Processes] 0x188cc:$str06: [Software] 0x18ebc:$str08: %s\* 0x18f09:$str08: %s\* 0x183fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x18792:$str12: UseMasterPassword 0x19233:$str13: Soft: WinSCP 0x18c6b:$str14: <Pass encoding="base64"> 0x19216:$str15: Soft: FileZilla 0x187bd:$str17: build_id 0x18884:$str18: file_data
0.3.hX2c2UOBSX.exe.9ee0000.4.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1917f:$str01: MachineID: 0x19227:$str03: [Hardware] 0x19168:$str04: VideoCard: 0x188c0:$str05: [Processes] 0x188cc:$str06: [Software] 0x18ebc:$str08: %s\* 0x18f09:$str08: %s\* 0x183fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x18792:$str12: UseMasterPassword 0x19233:$str13: Soft: WinSCP 0x18c6b:$str14: <Pass encoding="base64"> 0x19216:$str15: Soft: FileZilla 0x187bd:$str17: build_id 0x18884:$str18: file_data
0.2.hX2c2UOBSX.exe.9f00000.1.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1917f:$str01: MachineID: 0x19227:$str03: [Hardware] 0x19168:$str04: VideoCard: 0x188c0:$str05: [Processes] 0x188cc:$str06: [Software] 0x18ebc:$str08: %s\* 0x18f09:$str08: %s\* 0x183fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x18792:$str12: UseMasterPassword 0x19233:$str13: Soft: WinSCP 0x18c6b:$str14: <Pass encoding="base64"> 0x19216:$str15: Soft: FileZilla 0x187bd:$str17: build_id 0x18884:$str18: file_data
0.3.hX2c2UOBSX.exe.9f40000.1.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x1917f:$str01: MachineID: 0x19227:$str03: [Hardware] 0x19168:$str04: VideoCard: 0x188c0:$str05: [Processes] 0x188cc:$str06: [Software] 0x18ebc:$str08: %s\* 0x18f09:$str08: %s\* 0x183fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x18792:$str12: UseMasterPassword 0x19233:$str13: Soft: WinSCP 0x18c6b:$str14: <Pass encoding="base64"> 0x19216:$str15: Soft: FileZilla 0x187bd:$str17: build_id 0x18884:$str18: file_data
0.3.hX2c2UOBSX.exe.9f00000.3.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.3.hX2c2UOBSX.exe.9f00000.3.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
3.2.BitLockerToGo.exe.430000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
3.2.BitLockerToGo.exe.430000.0.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
0.2.hX2c2UOBSX.exe.a0fa000.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.hX2c2UOBSX.exe.a0fa000.2.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
0.2.hX2c2UOBSX.exe.9f00000.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.hX2c2UOBSX.exe.9f00000.1.raw.unpack	infostealer_win_vidar_strings_nov23	Finds Vidar samples based on the specific strings	Sekoia.io	0x19f7f:$str01: MachineID: 0x18f4f:$str02: Work Dir: In memory 0x1a027:$str03: [Hardware] 0x19f68:$str04: VideoCard: 0x196c0:$str05: [Processes] 0x196cc:$str06: [Software] 0x18fe0:$str07: information.txt 0x19cbc:$str08: %s\* 0x19d09:$str08: %s\* 0x191fd:$str11: Software\Martin Prikryl\WinSCP 2\Configuration 0x19592:$str12: UseMasterPassword 0x1a033:$str13: Soft: WinSCP 0x19a6b:$str14: <Pass encoding="base64"> 0x1a016:$str15: Soft: FileZilla 0x18fd2:$str16: passwords.txt 0x195bd:$str17: build_id 0x19684:$str18: file_data
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe", ParentImage: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe, ParentProcessId: 3524, ParentProcessName: BitLockerToGo.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 1644, ProcessName: chrome.exe

Suricata Signatures

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-06T15:13:22.632746+0100	2044247	1	Malware Command and Control Activity Detected	5.75.214.119	443	192.168.2.5	49817	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-06T15:13:23.975484+0100	2051831	1	Malware Command and Control Activity Detected	5.75.214.119	443	192.168.2.5	49825	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-06T15:13:21.324989+0100	2049087	1	A Network Trojan was detected	192.168.2.5	49807	5.75.214.119	443	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-06T15:13:25.316977+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49835	5.75.214.119	443	TCP
2025-02-06T15:13:26.523189+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49843	5.75.214.119	443	TCP
2025-02-06T15:13:34.653641+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49917	5.75.214.119	443	TCP
2025-02-06T15:13:34.947132+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49927	5.75.214.119	443	TCP
2025-02-06T15:13:35.967439+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49933	5.75.214.119	443	TCP
2025-02-06T15:13:37.298075+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49944	5.75.214.119	443	TCP
2025-02-06T15:13:39.051192+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49949	5.75.214.119	443	TCP
2025-02-06T15:13:45.132271+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	49992	5.75.214.119	443	TCP
2025-02-06T15:13:46.062989+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50015	5.75.214.119	443	TCP
2025-02-06T15:13:46.984710+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50033	5.75.214.119	443	TCP
2025-02-06T15:13:49.086259+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50067	5.75.214.119	443	TCP
2025-02-06T15:13:50.168599+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50102	5.75.214.119	443	TCP
2025-02-06T15:13:52.319194+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50114	5.75.214.119	443	TCP
2025-02-06T15:13:53.329881+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50116	5.75.214.119	443	TCP
2025-02-06T15:13:59.999882+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50128	5.75.214.119	443	TCP
2025-02-06T15:14:02.148130+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50130	5.75.214.119	443	TCP
2025-02-06T15:14:11.979418+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50135	5.75.214.119	443	TCP
2025-02-06T15:14:12.911977+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50136	5.75.214.119	443	TCP
2025-02-06T15:14:14.078977+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50137	5.75.214.119	443	TCP
2025-02-06T15:14:14.792903+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50138	5.75.214.119	443	TCP
2025-02-06T15:14:16.766105+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50139	5.75.214.119	443	TCP
2025-02-06T15:14:17.163922+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50140	5.75.214.119	443	TCP
2025-02-06T15:14:19.269936+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50141	5.75.214.119	443	TCP
2025-02-06T15:14:20.176311+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50142	5.75.214.119	443	TCP
2025-02-06T15:14:21.293314+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50143	5.75.214.119	443	TCP
2025-02-06T15:14:22.258651+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50144	5.75.214.119	443	TCP
2025-02-06T15:14:23.287703+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50145	5.75.214.119	443	TCP
2025-02-06T15:14:24.313988+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50146	5.75.214.119	443	TCP
2025-02-06T15:14:25.356530+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50147	5.75.214.119	443	TCP
2025-02-06T15:14:26.338741+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50148	5.75.214.119	443	TCP
2025-02-06T15:14:27.373903+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.5	50149	5.75.214.119	443	TCP

ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-06T15:13:34.947132+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	49927	5.75.214.119	443	TCP
2025-02-06T15:13:35.967439+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	49933	5.75.214.119	443	TCP
2025-02-06T15:13:37.298075+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	49944	5.75.214.119	443	TCP
2025-02-06T15:13:46.062989+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50015	5.75.214.119	443	TCP
2025-02-06T15:13:46.984710+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50033	5.75.214.119	443	TCP
2025-02-06T15:13:49.086259+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50067	5.75.214.119	443	TCP
2025-02-06T15:13:50.168599+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50102	5.75.214.119	443	TCP
2025-02-06T15:13:52.319194+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50114	5.75.214.119	443	TCP
2025-02-06T15:13:53.329881+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.5	50116	5.75.214.119	443	TCP

ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-06T15:13:19.957055+0100	2859378	1	Malware Command and Control Activity Detected	192.168.2.5	49796	5.75.214.119	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://vikine.rest

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.2335076897.0000000009F00000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199824159981", "Botnet": "a110mgz"}

Multi AV Scanner detection for submitted file

Source: hX2c2UOBSX.exe	Virustotal: Detection: 45%			Perma Link
Source: hX2c2UOBSX.exe	ReversingLabs: Detection: 34%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_00435FE7 CryptUnprotectData,

3_2_00435FE7

Source: hX2c2UOBSX.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.214.119:443 -> 192.168.2.5:49786 version: TLS 1.2

Source: hX2c2UOBSX.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: A{"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefgh
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdbA source: hX2c2UOBSX.exe, 00000000.00000002.2335076897.0000000009F00000.00000004.00001000.00020000.00000000.sdmp, hX2c2UOBSX.exe, 00000000.00000002.2334915170.0000000009E2A000.00000004.00001000.00020000.00000000.sdmp, hX2c2UOBSX.exe, 00000000.00000003.2282462028.0000000009EFA000.00000004.00001000.00020000.00000000.sdmp, hX2c2UOBSX.exe, 00000000.00000003.2266906038.000000000A0EA000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3077471735.0000000000449000.00000002.00000400.00020000.00000000.sdmp
Source:	Binary string: vdr1.pdb source: hX2c2UOBSX.exe, 00000000.00000003.2282403571.0000000009F2A000.00000004.00001000.00020000.00000000.sdmp, hX2c2UOBSX.exe, 00000000.00000002.2335076897.0000000009F00000.00000004.00001000.00020000.00000000.sdmp, hX2c2UOBSX.exe, 00000000.00000002.2334915170.0000000009E2A000.00000004.00001000.00020000.00000000.sdmp, hX2c2UOBSX.exe, 00000000.00000003.2266906038.000000000A0EA000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3077471735.0000000000449000.00000002.00000400.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdb source: hX2c2UOBSX.exe, 00000000.00000003.2281790488.0000000009FDC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cryptosetup.pdbGCTL source: BitLockerToGo.exe, 00000003.00000002.3078403678.0000000002810000.00000004.00000020.00020000.00000000.sdmp, ymymyu.3.dr
Source:	Binary string: cryptosetup.pdb source: BitLockerToGo.exe, 00000003.00000002.3078403678.0000000002810000.00000004.00000020.00020000.00000000.sdmp, ymymyu.3.dr
Source:	Binary string: D{"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefgh
Source:	Binary string: BitLockerToGo.pdbGCTL source: hX2c2UOBSX.exe, 00000000.00000003.2281790488.0000000009FDC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdb source: hX2c2UOBSX.exe, 00000000.00000002.2335076897.0000000009F00000.00000004.00001000.00020000.00000000.sdmp, hX2c2UOBSX.exe, 00000000.00000002.2334915170.0000000009E2A000.00000004.00001000.00020000.00000000.sdmp, hX2c2UOBSX.exe, 00000000.00000003.2282462028.0000000009EFA000.00000004.00001000.00020000.00000000.sdmp, hX2c2UOBSX.exe, 00000000.00000003.2266906038.000000000A0EA000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3077471735.0000000000449000.00000002.00000400.00020000.00000000.sdmp

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00437891 FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,	3_2_00437891
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0043A69C FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,	3_2_0043A69C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00438776 FindFirstFileA,FindNextFileA,	3_2_00438776
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004313DA FindFirstFileA,	3_2_004313DA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00441187 FindFirstFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,	3_2_00441187
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00436784 FindFirstFileA,CopyFileA,CopyFileA,DeleteFileA,FindNextFileA,	3_2_00436784

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_00441722 GetLogicalDriveStringsA,GetDriveTypeA,

3_2_00441722

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 9MB later: 38MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49843 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.5:49807 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.5:49796 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.214.119:443 -> 192.168.2.5:49817
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49835 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49944 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.214.119:443 -> 192.168.2.5:49825
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:49944 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49933 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:49933 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49949 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49927 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:49927 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49917 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50015 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50015 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:49992 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50067 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50067 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50102 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50102 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50033 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50033 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50116 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50116 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50114 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.5:50114 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50128 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50130 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50137 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50139 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50147 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50140 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50144 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50138 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50141 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50149 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50136 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50135 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50143 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50146 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50145 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50148 -> 5.75.214.119:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.5:50142 -> 5.75.214.119:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199824159981

Source: global traffic

HTTP traffic detected: GET /sok33tn HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 20.189.173.4 20.189.173.4
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.4
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.4
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.4
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.203.186
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.203.186
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.203.186
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.203.186
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.203.186
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.203.186
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.4
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.4
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.4
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.4
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.4
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.4
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.203.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.203.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.203.181
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.4
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.4
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 108.139.47.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.4
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.4
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.4
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.4
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.4
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.4
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.203.186
Source: unknown	TCP traffic detected without corresponding DNS query: 23.44.203.186

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_00433C79 InternetOpenA,InternetConnectA,HttpSendRequestA,InternetReadFile,

3_2_00433C79

Source: global traffic	HTTP traffic detected: GET /sok33tn HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: vikine.restConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.b70cb75853005ad9eaf6.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=CE0E652B5D8D48BD9CEED68016FD3F91.RefC=2025-02-06T14:13:42Z; USRLOC=; MUID=217C5528C8796198364940A3C90B602C; MUIDB=217C5528C8796198364940A3C90B602C; _EDGE_S=F=1&SID=05F2AF0F352666F437A1BA8434446707; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.8ed343c804e9069b52b4.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=CE0E652B5D8D48BD9CEED68016FD3F91.RefC=2025-02-06T14:13:42Z; USRLOC=; MUID=217C5528C8796198364940A3C90B602C; MUIDB=217C5528C8796198364940A3C90B602C; _EDGE_S=F=1&SID=05F2AF0F352666F437A1BA8434446707; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.f30eb488fb3069c7561f.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.7fc3109769390e0f7912.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.c2b5bd53979429263469.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.5752b34859dc7db29063.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /crx/blobs/ASuc5ohfQPNzGo5SSihcSk6msC8CUKw5id-p0KCEkBKwK2LS4AjdrDP0wa1qjzCTaTWEfyM52ADmUAdPETYA5vgD87UPEj6gyG11hjsvMLHGmzQgJ9F5D8s8Lo0Lbai5BQYAxlKa5esPJXukyaicyq83JwZ0HIWqzrjN/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_86_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /statics/icons/favicon_newtabpage.png HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=217C5528C8796198364940A3C90B602C; _EDGE_S=F=1&SID=05F2AF0F352666F437A1BA8434446707; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /b?rn=1738851226822&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=217C5528C8796198364940A3C90B602C&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1738851226821&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=ce0e652b5d8d48bd9ceed68016fd3f91&activityId=ce0e652b5d8d48bd9ceed68016fd3f91&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=217C5528C8796198364940A3C90B602C; _EDGE_S=F=1&SID=05F2AF0F352666F437A1BA8434446707; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /b2?rn=1738851226822&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=217C5528C8796198364940A3C90B602C&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=14669adb97e47d2730805411738851228; XID=14669adb97e47d2730805411738851228
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 8.15sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 200sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=CE0E652B5D8D48BD9CEED68016FD3F91.RefC=2025-02-06T14:13:42Z; USRLOC=; MUID=217C5528C8796198364940A3C90B602C; MUIDB=217C5528C8796198364940A3C90B602C; _EDGE_S=F=1&SID=05F2AF0F352666F437A1BA8434446707; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=f16812a0-69e3-44e9-97c8-c0716fcbf332; ai_session=imdU2rn9cNL2Xs3d1IDxFe\|1738851226817\|1738851226817; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=CE0E652B5D8D48BD9CEED68016FD3F91.RefC=2025-02-06T14:13:42Z
Source: global traffic	HTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: /Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":39,"imageId":"BB1msIAw","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=CE0E652B5D8D48BD9CEED68016FD3F91.RefC=2025-02-06T14:13:42Z; USRLOC=; MUID=217C5528C8796198364940A3C90B602C; MUIDB=217C5528C8796198364940A3C90B602C; _EDGE_S=F=1&SID=05F2AF0F352666F437A1BA8434446707; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=f16812a0-69e3-44e9-97c8-c0716fcbf332; ai_session=imdU2rn9cNL2Xs3d1IDxFe\|1738851226817\|1738851226817; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=CE0E652B5D8D48BD9CEED68016FD3F91.RefC=2025-02-06T14:13:42Z
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1738851226821&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=ce0e652b5d8d48bd9ceed68016fd3f91&activityId=ce0e652b5d8d48bd9ceed68016fd3f91&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=1BAE8938B5D74332991173A0D79A099E&MUID=217C5528C8796198364940A3C90B602C HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=217C5528C8796198364940A3C90B602C; _EDGE_S=F=1&SID=05F2AF0F352666F437A1BA8434446707; _EDGE_V=1; SM=T; _C_ETH=1; msnup=%7B%22cnex%22%3A%22no%22%7D

Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)
Source: 000003.log7.10.dr	String found in binary or memory: "www.facebook.com": "{\"Tier1\": [1103, 6061], \"Tier2\": [5445, 1780, 8220]}", equals www.facebook.com (Facebook)
Source: 000003.log7.10.dr	String found in binary or memory: "www.linkedin.com": "{\"Tier1\": [1103, 214, 6061], \"Tier2\": [2771, 9515, 1780, 1303, 1099, 6081, 5581, 9396]}", equals www.linkedin.com (Linkedin)
Source: 000003.log7.10.dr	String found in binary or memory: "www.youtube.com": "{\"Tier1\": [983, 6061, 1103], \"Tier2\": [2413, 8118, 1720, 5007]}", equals www.youtube.com (Youtube)
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000004.00000003.2441114946.000068DC03258000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2441030604.000068DC032BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000004.00000003.2441114946.000068DC03258000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2441030604.000068DC032BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: vikine.rest
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----4o8qq168y5pp8ycbsr1vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: vikine.restContent-Length: 255Connection: Keep-AliveCache-Control: no-cache

Source: hX2c2UOBSX.exe	String found in binary or memory: http://.css
Source: hX2c2UOBSX.exe	String found in binary or memory: http://.jpg
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: hX2c2UOBSX.exe	String found in binary or memory: http://html4/loose.dtd
Source: chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000004.00000003.2443353092.000068DC03258000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2442979895.000068DC03238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443538058.000068DC0340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443287986.000068DC033CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jsbin.com/temexa/4.
Source: chrome.exe, 00000004.00000003.2444364903.000068DC03520000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443893357.000068DC032B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443929017.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443353092.000068DC03258000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2442979895.000068DC03238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2444291152.000068DC0346C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443335694.000068DC03440000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443853805.000068DC02F7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443951574.000068DC032BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2444117811.000068DC0260C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443538058.000068DC0340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443287986.000068DC033CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 00000004.00000003.2444364903.000068DC03520000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443893357.000068DC032B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443929017.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443353092.000068DC03258000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2442979895.000068DC03238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2444291152.000068DC0346C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443335694.000068DC03440000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443853805.000068DC02F7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443951574.000068DC032BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2444117811.000068DC0260C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443538058.000068DC0340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443287986.000068DC033CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 00000004.00000003.2444364903.000068DC03520000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443893357.000068DC032B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443929017.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443353092.000068DC03258000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2442979895.000068DC03238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2444291152.000068DC0346C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443335694.000068DC03440000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443853805.000068DC02F7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443951574.000068DC032BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2444117811.000068DC0260C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443538058.000068DC0340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443287986.000068DC033CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 00000004.00000003.2444364903.000068DC03520000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443893357.000068DC032B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443929017.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443353092.000068DC03258000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2442979895.000068DC03238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2444291152.000068DC0346C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443335694.000068DC03440000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443853805.000068DC02F7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443951574.000068DC032BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2444117811.000068DC0260C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443538058.000068DC0340C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443287986.000068DC033CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chromecache_471.6.dr	String found in binary or memory: http://www.broofa.com
Source: BitLockerToGo.exe, 00000003.00000003.2559591040.0000000005074000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3079173702.0000000005074000.00000004.00000020.00020000.00000000.sdmp, cjm7g4.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000004.00000003.2444117811.000068DC02654000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2465834798.000068DC02654000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2440107263.000068DC02654000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2438510579.000068DC02654000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2442613329.000068DC02654000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02654000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chromecache_476.6.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_476.6.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000004.00000003.2439743392.000068DC0258C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000004.00000003.2457077371.000068DC036A0000.00000004.00000800.00020000.00000000.sdmp, chromecache_471.6.dr, chromecache_476.6.dr	String found in binary or memory: https://apis.google.com
Source: msedge.exe, 00000009.00000002.2574083586.0000022338F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comse
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.0000000002810000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3079173702.0000000005031000.00000004.00000020.00020000.00000000.sdmp, lf3ekn.3.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.0000000002810000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3079173702.0000000005031000.00000004.00000020.00020000.00000000.sdmp, lf3ekn.3.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: Reporting and NEL.12.dr	String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: chrome.exe, 00000004.00000003.2463431530.000068DC02F1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2463090269.000068DC02F20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2444073924.000068DC02F1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2456557397.000068DC02F1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2440294331.000068DC02F20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439365465.000068DC02F20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: BitLockerToGo.exe, 00000003.00000003.2559591040.0000000005074000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3079173702.0000000005074000.00000004.00000020.00020000.00000000.sdmp, cjm7g4.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: offscreendocument_main.js.10.dr, service_worker_bin_prod.js.10.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/mathjax/
Source: BitLockerToGo.exe, 00000003.00000003.2559591040.0000000005074000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3079173702.0000000005074000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3079801926.0000000005481000.00000004.00000020.00020000.00000000.sdmp, cjm7g4.3.dr, iwbas0.3.dr, Web Data.10.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BitLockerToGo.exe, 00000003.00000003.2559591040.0000000005074000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3079173702.0000000005074000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3079801926.0000000005481000.00000004.00000020.00020000.00000000.sdmp, cjm7g4.3.dr, iwbas0.3.dr, Web Data.10.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000004.00000003.2442771769.000068DC02F94000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000002.2577644994.000006680016C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: manifest.json.10.dr	String found in binary or memory: https://chrome.google.com/webstore/
Source: chrome.exe, 00000004.00000003.2448779995.000068DC02F94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2444572762.000068DC02528000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2442358153.000068DC03338000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2440527988.000068DC02F7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439280203.000068DC02F94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439255777.000068DC02F7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2442771769.000068DC02F94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000004.00000003.2432068291.0000020000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2431920300.000002000071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000004.00000003.2432068291.0000020000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2431920300.000002000071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000004.00000003.2432068291.0000020000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2431920300.000002000071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: msedge.exe, 00000009.00000002.2577644994.000006680016C000.00000004.00000800.00020000.00000000.sdmp, manifest.json.10.dr	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000004.00000003.2428369029.00007644002E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2428351243.00007644002D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000004.00000003.2435525122.000068DC026D8000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000002.2574671836.0000066800040000.00000004.00000800.00020000.00000000.sdmp, manifest.json0.10.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chromecache_476.6.dr	String found in binary or memory: https://clients6.google.com
Source: chromecache_476.6.dr	String found in binary or memory: https://content.googleapis.com
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.0000000002810000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3079173702.0000000005031000.00000004.00000020.00020000.00000000.sdmp, lf3ekn.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.0000000002810000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3079173702.0000000005031000.00000004.00000020.00020000.00000000.sdmp, lf3ekn.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: 2cc80dabc69f58b6_0.10.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: manifest.json0.10.dr	String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2465834798.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2465834798.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2465834798.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000004.00000003.2473423436.000068DC03258000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview
Source: chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview2K
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2465834798.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2465834798.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2465834798.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2465834798.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2465834798.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2465834798.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000004.00000003.2440294331.000068DC02F20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2465834798.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2465834798.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chromecache_476.6.dr	String found in binary or memory: https://domains.google.com/suggest/flow
Source: manifest.json0.10.dr	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: manifest.json0.10.dr	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: manifest.json0.10.dr	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: manifest.json0.10.dr	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: manifest.json0.10.dr	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: manifest.json0.10.dr	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: manifest.json0.10.dr	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: manifest.json0.10.dr	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: manifest.json0.10.dr	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: manifest.json0.10.dr	String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000004.00000003.2444117811.000068DC0260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: manifest.json0.10.dr	String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2465834798.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2465834798.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2465834798.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2465834798.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: BitLockerToGo.exe, 00000003.00000003.2559591040.0000000005074000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3079173702.0000000005074000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3079801926.0000000005481000.00000004.00000020.00020000.00000000.sdmp, cjm7g4.3.dr, iwbas0.3.dr, Web Data.10.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BitLockerToGo.exe, 00000003.00000003.2559591040.0000000005074000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3079173702.0000000005074000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3079801926.0000000005481000.00000004.00000020.00020000.00000000.sdmp, cjm7g4.3.dr, iwbas0.3.dr, Web Data.10.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BitLockerToGo.exe, 00000003.00000003.2559591040.0000000005074000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3079173702.0000000005074000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3079801926.0000000005481000.00000004.00000020.00020000.00000000.sdmp, cjm7g4.3.dr, iwbas0.3.dr, Web Data.10.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 000003.log7.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/addressbar_uu_files.en-gb/1.0.2/asset?sv=2017-07-29&sr
Source: 000003.log7.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: 000003.log7.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_163_music.png/1.0.3/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_dark.png/1.7.32/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_hc.png/1.7.32/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr, HubApps Icons.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_hc.png/1.2.1/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_dark.png/1.2.1/ass
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr, HubApps Icons.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/as
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_amazon_music_light.png/1.4.13/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_apple_music.png/1.4.12/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.1.17/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.6.8/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.1.17/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.6.8/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.1.17/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.6.8/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_deezer.png/1.4.12/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_color.png/1.0.14/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_hc.png/1.0.14/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_hc.png/1.1.12/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_dark.png/1.1.12/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr, HubApps Icons.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_hc.png/1.2.0/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_dark.png/1.2.0/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_light.png/1.2.0/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_excel.png/1.7.32/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_facebook_messenger.png/1.5.14/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gaana.png/1.0.3/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc.png/1.7.1/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_controller.png/1.7.1/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_joystick.png/1.7.1/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark.png/1.7.1/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_controller.png/1.7.1/
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_joystick.png/1.7.1/as
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr, HubApps Icons.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_controller.png/1.7.1
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_joystick.png/1.7.1/a
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gmail.png/1.5.4/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_hc.png/0.1.3/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_dark.png/0.1.3/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_light.png/0.1.3/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_iHeart.png/1.0.3/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_hc.png/1.0.14/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_dark.png/1.0.14/as
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_light.png/1.0.14/a
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_instagram.png/1.4.13/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_ku_gou.png/1.0.3/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_last.png/1.0.3/asset
Source: 000003.log7.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Sho
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_naver_vibe.png/1.0.3/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_dark.png/1.4.9/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_hc.png/1.4.9/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_light.png/1.4.9/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_dark.png/1.9.10/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_hc.png/1.9.10/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr, HubApps Icons.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_light.png/1.9.10/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_power_point.png/1.7.32/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_qq.png/1.0.3/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_dark.png/1.1.12/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_hc.png/1.1.12/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_light.png/1.1.12/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_hc.png/1.3.6/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_dark.png/1.3.6/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr, HubApps Icons.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.1.12/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.4.0/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.5.13/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.1.12/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.4.0/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.5.13/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.1.12/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.4.0/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.5.13/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_hc.png/1.4.0/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_dark.png/1.4.0/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr, HubApps Icons.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_dark.png/1.3.20/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_hc.png/1.3.20/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_light.png/1.3.20/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_sound_cloud.png/1.0.3/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_spotify.png/1.4.12/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_dark.png/1.2.19/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_hc.png/1.2.19/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_light.png/1.2.19/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_telegram.png/1.0.4/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tidal.png/1.0.3/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_hc.png/1.5.13/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_dark.png/1.5.13/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr, HubApps Icons.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_twitter_light.png/1.0.9/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_vk.png/1.0.3/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whatsapp_light.png/1.4.11/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_word.png/1.7.32/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_yandex_music.png/1.0.10/asset
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_youtube.png/1.4.14/asset
Source: 000003.log7.10.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/signal_triggers/1.13.3/asset?sv=2017-07-29&sr=c&sig=Nt
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://excel.new?from=EdgeM365Shoreline
Source: chromecache_471.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_471.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_471.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_471.6.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://gaana.com/
Source: chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/#
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/&
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/-
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/0
Source: chrome.exe, 00000004.00000003.2432068291.0000020000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2431920300.000002000071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/7
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/:
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/A
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/D
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/I
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/K
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/L
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/N
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/S
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/U
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/X
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/g
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/j
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/l
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/q
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/t
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/~
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000004.00000003.2432068291.0000020000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2431920300.000002000071C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
Source: chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
Source: msedge.exe, 00000009.00000002.2581410390.0000066800398000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs27
Source: chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://i.y.qq.com/n2/m/index.html
Source: lf3ekn.3.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 00000004.00000003.2439836617.000068DC02FB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000004.00000003.2456871341.000068DC03294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/
Source: chrome.exe, 00000004.00000003.2431920300.000002000071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000004.00000003.2475330833.000068DC03F78000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2475427779.000068DC03F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000004.00000003.2432068291.0000020000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2431920300.000002000071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000004.00000003.2432068291.0000020000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2431920300.000002000071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000004.00000003.2475330833.000068DC03F78000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2475427779.000068DC03F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardh
Source: chrome.exe, 00000004.00000003.2431920300.000002000071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000004.00000003.2456610448.000068DC036A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2457231856.000068DC03614000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2462583521.000068DC036A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2462683581.000068DC036BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2462738950.000068DC0376C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2457077371.000068DC036A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://latest.web.skype.com/?browsername=edge_canary_shoreline
Source: chrome.exe, 00000004.00000003.2444364903.000068DC03520000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2444291152.000068DC0346C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2444117811.000068DC0260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 00000004.00000003.2444364903.000068DC03520000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2444291152.000068DC0346C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2444117811.000068DC0260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 00000004.00000003.2432068291.0000020000728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2431920300.000002000071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 00000004.00000003.2432604461.000002000087C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2444117811.000068DC0260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000004.00000003.2431920300.000002000071C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://m.kugou.com/
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://m.soundcloud.com/
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://m.vk.com/
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2465834798.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000004.00000003.2456871341.000068DC03294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab
Source: chrome.exe, 00000004.00000003.2456610448.000068DC036A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2457231856.000068DC03614000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2462583521.000068DC036A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2462683581.000068DC036BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2462738950.000068DC0376C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2457077371.000068DC036A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2465834798.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2465834798.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2465834798.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://mail.google.com/mail/mu/mp/266/#tl/Inbox
Source: msedge.exe, 00000009.00000002.2581410390.0000066800398000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.cn/
Source: msedge.exe, 00000009.00000002.2581410390.0000066800398000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://msn.com/
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://music.amazon.com
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://music.apple.com
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://music.yandex.com
Source: chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email2B
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome
Source: chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email?utm_source=chrome2B
Source: chrome.exe, 00000004.00000003.2441570001.000068DC032EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: 000003.log3.10.dr	String found in binary or memory: https://ntp.msn.com
Source: 000003.log9.10.dr, 000003.log0.10.dr	String found in binary or memory: https://ntp.msn.com/
Source: 000003.log9.10.dr	String found in binary or memory: https://ntp.msn.com/0
Source: 000003.log9.10.dr, 2cc80dabc69f58b6_1.10.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp
Source: 000003.log9.10.dr, 2cc80dabc69f58b6_1.10.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=288
Source: Session_13383324822210209.10.dr	String found in binary or memory: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&start
Source: 2cc80dabc69f58b6_0.10.dr	String found in binary or memory: https://ntp.msn.comService-Worker-Allowed:
Source: msedge.exe, 00000009.00000002.2581410390.0000066800398000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.net/
Source: chrome.exe, 00000004.00000003.2457077371.000068DC036A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 00000004.00000003.2463090269.000068DC02F1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000004.00000003.2457077371.000068DC036A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000004.00000003.2457077371.000068DC036A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://open.spotify.com
Source: chrome.exe, 00000004.00000003.2442429809.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443951574.000068DC032E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000004.00000003.2442429809.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443951574.000068DC032E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000004.00000003.2442429809.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443951574.000068DC032E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000004.00000003.2443951574.000068DC032E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000004.00000003.2442429809.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443951574.000068DC032E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000004.00000003.2442429809.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443951574.000068DC032E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000004.00000003.2442429809.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443951574.000068DC032E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000004.00000003.2442429809.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2443951574.000068DC032E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://outlook.live.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://outlook.live.com/mail/0/
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://outlook.live.com/mail/compose?isExtension=true
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://outlook.office.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://outlook.office.com/mail/0/
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://outlook.office.com/mail/compose?isExtension=true
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://outlook.office.com/mail/inbox?isExtension=true&sharedHeader=1&client_flight=outlookedge
Source: msedge.exe, 00000009.00000003.2567248162.0000066800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2567139218.0000066800268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/AddSession
Source: msedge.exe, 00000009.00000003.2567248162.0000066800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2567139218.0000066800268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/Logout
Source: msedge.exe, 00000009.00000003.2567248162.0000066800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2567139218.0000066800268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/LogoutYxABzen
Source: msedge.exe, 00000009.00000003.2567248162.0000066800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2567139218.0000066800268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/MergeSession
Source: msedge.exe, 00000009.00000003.2567248162.0000066800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2567139218.0000066800268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/OAuthLogin
Source: msedge.exe, 00000009.00000003.2567248162.0000066800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2567139218.0000066800268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/RotateBoundCookies
Source: msedge.exe, 00000009.00000003.2567248162.0000066800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2567139218.0000066800268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/chrome/blank.html
Source: msedge.exe, 00000009.00000003.2567248162.0000066800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2567139218.0000066800268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/o/oauth2/revoke
Source: msedge.exe, 00000009.00000003.2567248162.0000066800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2567139218.0000066800268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/o/oauth2/revokeh
Source: msedge.exe, 00000009.00000003.2567248162.0000066800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2567139218.0000066800268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth/multilogin
Source: msedge.exe, 00000009.00000003.2567248162.0000066800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2567139218.0000066800268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v1/userinfo
Source: msedge.exe, 00000009.00000003.2567248162.0000066800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2567139218.0000066800268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v2/tokeninfo
Source: msedge.exe, 00000009.00000003.2567248162.0000066800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2567139218.0000066800268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/oauth2/v4/token
Source: msedge.exe, 00000009.00000003.2567248162.0000066800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2567139218.0000066800268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/reauth/v1beta/users/
Source: msedge.exe, 00000009.00000003.2567248162.0000066800270000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000009.00000003.2567139218.0000066800268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://permanently-removed.invalid/v1/issuetoken
Source: chrome.exe, 00000004.00000003.2441570001.000068DC032EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 00000004.00000003.2444364903.000068DC03520000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2444291152.000068DC0346C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2444117811.000068DC0260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
Source: chromecache_471.6.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_476.6.dr	String found in binary or memory: https://plus.google.com
Source: chromecache_476.6.dr	String found in binary or memory: https://plus.googleapis.com
Source: chrome.exe, 00000004.00000003.2441570001.000068DC032EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://powerpoint.new?from=EdgeM365Shoreline
Source: chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
Source: chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
Source: chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
Source: chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com2
Source: chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comJv
Source: chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comb
Source: chrome.exe, 00000004.00000003.2456610448.000068DC036A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2457231856.000068DC03614000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2462583521.000068DC036A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2462683581.000068DC036BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2462738950.000068DC0376C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2457077371.000068DC036A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: hX2c2UOBSX.exe, 00000000.00000002.2335076897.0000000009F00000.00000004.00001000.00020000.00000000.sdmp, hX2c2UOBSX.exe, 00000000.00000003.2282462028.0000000009EFA000.00000004.00001000.00020000.00000000.sdmp, hX2c2UOBSX.exe, 00000000.00000002.2334915170.0000000009E50000.00000004.00001000.00020000.00000000.sdmp, hX2c2UOBSX.exe, 00000000.00000003.2266906038.000000000A0EA000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3077493602.000000000044D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199824159981
Source: BitLockerToGo.exe, 00000003.00000002.3077493602.000000000044D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199824159981a110mgzMozilla/5.0
Source: BitLockerToGo.exe, 00000003.00000002.3081397430.0000000005948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 00000003.00000002.3081397430.0000000005948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.0000000002758000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: BitLockerToGo.exe, 00000003.00000003.2339572208.00000000027C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/sok33tn
Source: BitLockerToGo.exe, 00000003.00000002.3077493602.000000000044D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/sok33tna110mgzMozilla/5.0
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.0000000002797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/sok33tnsi
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://tidal.com/
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://twitter.com/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.10.dr	String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.10.dr	String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.10.dr	String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://vibe.naver.com/today
Source: BitLockerToGo.exe, 00000003.00000003.2339572208.00000000027C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2393340952.00000000027C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest
Source: BitLockerToGo.exe, 00000003.00000003.2393340952.00000000027C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/
Source: BitLockerToGo.exe, 00000003.00000003.2563504001.0000000002820000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/0xrf
Source: BitLockerToGo.exe, 00000003.00000003.2563995709.00000000027C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/4
Source: BitLockerToGo.exe, 00000003.00000003.2393340952.00000000027C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/8
Source: BitLockerToGo.exe, 00000003.00000003.2352981350.00000000027C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/a
Source: BitLockerToGo.exe, 00000003.00000003.2563504001.0000000002820000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/o
Source: BitLockerToGo.exe, 00000003.00000003.2366564389.00000000027C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2380240783.00000000027C4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2352981350.00000000027C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2393340952.00000000027C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/st
Source: BitLockerToGo.exe, 00000003.00000003.2380240783.00000000027C4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2393340952.00000000027C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/sta
Source: BitLockerToGo.exe, 00000003.00000003.2366564389.00000000027C6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2380240783.00000000027C4000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2563995709.00000000027C3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3078403678.00000000027B0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2352981350.00000000027C8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000003.2393340952.00000000027C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest/t
Source: BitLockerToGo.exe, 00000003.00000003.2352981350.00000000027C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vikine.rest4
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://web.skype.com/?browsername=edge_stable_shoreline
Source: BitLockerToGo.exe, 00000003.00000003.2339572208.00000000027C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://web.telegram.org/
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://web.whatsapp.com
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://word.new?from=EdgeM365Shoreline
Source: chromecache_476.6.dr	String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.0000000002810000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3079173702.0000000005031000.00000004.00000020.00020000.00000000.sdmp, lf3ekn.3.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.0000000002810000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3079173702.0000000005031000.00000004.00000020.00020000.00000000.sdmp, lf3ekn.3.dr	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://www.deezer.com/
Source: BitLockerToGo.exe, 00000003.00000003.2559591040.0000000005074000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3079173702.0000000005074000.00000004.00000020.00020000.00000000.sdmp, cjm7g4.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000004.00000003.2439365465.000068DC02F20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000004.00000003.2463431530.000068DC02F1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2463090269.000068DC02F20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2444073924.000068DC02F1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2456557397.000068DC02F1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2440294331.000068DC02F20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439365465.000068DC02F20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000004.00000003.2463431530.000068DC02F1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2463090269.000068DC02F20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2444073924.000068DC02F1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2456557397.000068DC02F1C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2440294331.000068DC02F20000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2439365465.000068DC02F20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: chrome.exe, 00000004.00000003.2442771769.000068DC02F94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: content.js.10.dr, content_new.js.10.dr	String found in binary or memory: https://www.google.com/chrome
Source: chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/hats/index.htmlb
Source: BitLockerToGo.exe, 00000003.00000003.2559591040.0000000005074000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3079173702.0000000005074000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3079801926.0000000005481000.00000004.00000020.00020000.00000000.sdmp, cjm7g4.3.dr, iwbas0.3.dr, Web Data.10.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000004.00000003.2456871341.000068DC03294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl
Source: chrome.exe, 00000004.00000003.2456610448.000068DC036A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2457231856.000068DC03614000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2462583521.000068DC036A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2462683581.000068DC036BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2462738950.000068DC0376C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2457077371.000068DC036A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 00000004.00000003.2457077371.000068DC036A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000004.00000003.2444117811.000068DC0260C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=$
Source: chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aida2
Source: chromecache_476.6.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_476.6.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chrome.exe, 00000004.00000003.2477487191.000068DC03BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477559207.000068DC03BB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477335946.000068DC03B88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2477426439.000068DC03B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
Source: chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000004.00000003.2474857793.000068DC03A50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chromecache_471.6.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_471.6.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_471.6.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: chrome.exe, 00000004.00000003.2457077371.000068DC036A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000004.00000003.2456610448.000068DC036A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2457284868.000068DC0375C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2462583521.000068DC036A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2462683581.000068DC036BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2462436420.000068DC036E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2462738950.000068DC0376C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2457077371.000068DC036A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000004.00000003.2457077371.000068DC036A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.XA6cJfY6CcY.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 00000004.00000003.2457077371.000068DC036A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.y1YSUixQIjo.L.W.O/m=qmd
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://www.iheart.com/podcast/
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://www.instagram.com
Source: hX2c2UOBSX.exe	String found in binary or memory: https://www.jam-software.com/ultrasearch_freeD
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://www.last.fm/
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://www.messenger.com
Source: BitLockerToGo.exe, 00000003.00000002.3081397430.0000000005948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: BitLockerToGo.exe, 00000003.00000002.3081397430.0000000005948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: BitLockerToGo.exe, 00000003.00000002.3081397430.0000000005948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: BitLockerToGo.exe, 00000003.00000002.3081397430.0000000005948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: BitLockerToGo.exe, 00000003.00000002.3081397430.0000000005948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: BitLockerToGo.exe, 00000003.00000002.3081397430.0000000005948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&game
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&item
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&item=fl
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&playInS
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://www.office.com
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://www.officeplus.cn/?sid=shoreline&endpoint=OPPC&source=OPCNshoreline
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=1
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=2
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=1
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=2
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://www.youtube.com
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2465834798.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2465834798.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2465834798.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000004.00000003.2438510579.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2436152998.000068DC0276C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2473459548.000068DC02675000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000004.00000003.2465834798.000068DC02675000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: 7da3e238-e9d2-462e-af4c-340928c867cb.tmp.10.dr	String found in binary or memory: https://y.music.163.com/m/

Source: unknown	Network traffic detected: HTTP traffic on port 50145 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 50139 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 50151 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 50094 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50154 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50148 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown	Network traffic detected: HTTP traffic on port 50077 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50147 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50130 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50156 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50100 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50142 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50150 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown	Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown	Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 50082 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50139
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50138
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 50149 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50130
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50135
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50137
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50136
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50135 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50140
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 50144 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50149
Source: unknown	Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50142
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50141
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50144
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50143
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50146
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50145
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50148
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50147
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50151
Source: unknown	Network traffic detected: HTTP traffic on port 50138 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50150
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50086 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50143 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50153
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 50092 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50154
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50157
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50156
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50137 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 50140 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50146 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 50157 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50109 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.214.119:443 -> 192.168.2.5:49786 version: TLS 1.2

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_00435AD3 CreateDesktopA,CreateProcessA,Sleep,

3_2_00435AD3

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.3.hX2c2UOBSX.exe.9f00000.3.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.3.hX2c2UOBSX.exe.9f20000.2.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.2.hX2c2UOBSX.exe.a0fa000.2.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.3.hX2c2UOBSX.exe.9ee0000.4.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.2.hX2c2UOBSX.exe.9f00000.1.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.3.hX2c2UOBSX.exe.9f40000.1.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.3.hX2c2UOBSX.exe.9f00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 3.2.BitLockerToGo.exe.430000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.2.hX2c2UOBSX.exe.a0fa000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.2.hX2c2UOBSX.exe.9f00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000000.00000002.2335076897.0000000009F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000000.00000002.2335096406.000000000A0FA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000000.00000003.2282462028.0000000009F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 00000000.00000003.2281700446.000000000A016000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00434B3F	3_2_00434B3F
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00445147	3_2_00445147
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00447D56	3_2_00447D56
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0043AF7E	3_2_0043AF7E
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004471E1	3_2_004471E1
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004453AF	3_2_004453AF

Source: hX2c2UOBSX.exe, 00000000.00000003.2281756893.0000000009FFA000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs hX2c2UOBSX.exe

Source: hX2c2UOBSX.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: 0.3.hX2c2UOBSX.exe.9f00000.3.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.3.hX2c2UOBSX.exe.9f20000.2.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.2.hX2c2UOBSX.exe.a0fa000.2.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.3.hX2c2UOBSX.exe.9ee0000.4.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.2.hX2c2UOBSX.exe.9f00000.1.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.3.hX2c2UOBSX.exe.9f40000.1.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.3.hX2c2UOBSX.exe.9f00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 3.2.BitLockerToGo.exe.430000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.2.hX2c2UOBSX.exe.a0fa000.2.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.2.hX2c2UOBSX.exe.9f00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000000.00000002.2335076897.0000000009F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000000.00000002.2335096406.000000000A0FA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000000.00000003.2282462028.0000000009F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 00000000.00000003.2281700446.000000000A016000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research

Source: ymymyu.3.dr

Binary string: #WriteOfflineHivesTerminateSetupModuleds\security\cryptoapi\cryptosetup\cryptosetup.cDCryptoSetup module terminatedCryptoSetupNewRegistryCallBackCryptoSetup EntropyWrite given invalid event typeCryptoSetup EntropyWrite given invalid event data sizeWriteEntropyToNewRegistryCryptoSetup failed to get Ksecdd entropy %08xRNGCryptoSetup failed to open system hive key %08xExternalEntropyCryptoSetup failed to write entropy into the system hive %08xCryptoSetup failed to close system hive key %08xCryptoSetup succeeded writing entropy key\Device\KsecDDWriteCapiMachineGuidCryptoSetup failed get entropy from ksecdd for CAPI machine guid %08x%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02xCryptoSetup failed to convert CAPI machine guid to string %08xMicrosoft\CryptographyCryptoSetup failed get open/create reg key for CAPI machine guid %08xMachineGuidCryptoSetup failed get write CAPI machine guid %08xCryptoSetup assigned CAPI machine guid "%s"

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@70/288@28/21

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_0043F029 CreateToolhelp32Snapshot,Process32First,Process32Next,

3_2_0043F029

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\XXMIVZ2V.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:612:120:WilError_03

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Temp\ffa5a56e-531f-4c5a-8f06-6952ba2c2d88.tmp

Jump to behavior

Source: hX2c2UOBSX.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\hX2c2UOBSX.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2d2nyc2no.3.dr, 6ppppzmgd.3.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: hX2c2UOBSX.exe	Virustotal: Detection: 45%
Source: hX2c2UOBSX.exe	ReversingLabs: Detection: 34%

Source: hX2c2UOBSX.exe	String found in binary or memory: net/addrselect.go
Source: hX2c2UOBSX.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.6/loadconfig.go
Source: hX2c2UOBSX.exe	String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>

Source: unknown	Process created: C:\Users\user\Desktop\hX2c2UOBSX.exe "C:\Users\user\Desktop\hX2c2UOBSX.exe"
Source: C:\Users\user\Desktop\hX2c2UOBSX.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 --field-trial-handle=2352,i,12889563372584543830,4112607427358545807,262144 /prefetch:8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2520 --field-trial-handle=2540,i,2978208474614954716,5468378796745314197,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2672 --field-trial-handle=2084,i,4349758898381400931,1592003162403205236,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6844 --field-trial-handle=2084,i,4349758898381400931,1592003162403205236,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7008 --field-trial-handle=2084,i,4349758898381400931,1592003162403205236,262144 /prefetch:8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" & rd /s /q "C:\ProgramData\wt000" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=2932 --field-trial-handle=2084,i,4349758898381400931,1592003162403205236,262144 /prefetch:8
Source: C:\Users\user\Desktop\hX2c2UOBSX.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" & rd /s /q "C:\ProgramData\wt000" & exit	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 --field-trial-handle=2352,i,12889563372584543830,4112607427358545807,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2672 --field-trial-handle=2084,i,4349758898381400931,1592003162403205236,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2520 --field-trial-handle=2540,i,2978208474614954716,5468378796745314197,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2672 --field-trial-handle=2084,i,4349758898381400931,1592003162403205236,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6844 --field-trial-handle=2084,i,4349758898381400931,1592003162403205236,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7008 --field-trial-handle=2084,i,4349758898381400931,1592003162403205236,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=2932 --field-trial-handle=2084,i,4349758898381400931,1592003162403205236,262144 /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\Desktop\hX2c2UOBSX.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hX2c2UOBSX.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\hX2c2UOBSX.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\hX2c2UOBSX.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: hX2c2UOBSX.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: hX2c2UOBSX.exe

Static file information: File size 7649792 > 1048576

Source: hX2c2UOBSX.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x36fe00
Source: hX2c2UOBSX.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x30fe00

Source: hX2c2UOBSX.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: A{"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefgh
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdbA source: hX2c2UOBSX.exe, 00000000.00000002.2335076897.0000000009F00000.00000004.00001000.00020000.00000000.sdmp, hX2c2UOBSX.exe, 00000000.00000002.2334915170.0000000009E2A000.00000004.00001000.00020000.00000000.sdmp, hX2c2UOBSX.exe, 00000000.00000003.2282462028.0000000009EFA000.00000004.00001000.00020000.00000000.sdmp, hX2c2UOBSX.exe, 00000000.00000003.2266906038.000000000A0EA000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3077471735.0000000000449000.00000002.00000400.00020000.00000000.sdmp
Source:	Binary string: vdr1.pdb source: hX2c2UOBSX.exe, 00000000.00000003.2282403571.0000000009F2A000.00000004.00001000.00020000.00000000.sdmp, hX2c2UOBSX.exe, 00000000.00000002.2335076897.0000000009F00000.00000004.00001000.00020000.00000000.sdmp, hX2c2UOBSX.exe, 00000000.00000002.2334915170.0000000009E2A000.00000004.00001000.00020000.00000000.sdmp, hX2c2UOBSX.exe, 00000000.00000003.2266906038.000000000A0EA000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3077471735.0000000000449000.00000002.00000400.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdb source: hX2c2UOBSX.exe, 00000000.00000003.2281790488.0000000009FDC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cryptosetup.pdbGCTL source: BitLockerToGo.exe, 00000003.00000002.3078403678.0000000002810000.00000004.00000020.00020000.00000000.sdmp, ymymyu.3.dr
Source:	Binary string: cryptosetup.pdb source: BitLockerToGo.exe, 00000003.00000002.3078403678.0000000002810000.00000004.00000020.00020000.00000000.sdmp, ymymyu.3.dr
Source:	Binary string: D{"id":1,"method":"Storage.getCookies"}\|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2comctl32gdi32:225121Windows 11HTTP/1.1HARDWARE\DESCRIPTION\System\CentralProcessor\0abcdefgh
Source:	Binary string: BitLockerToGo.pdbGCTL source: hX2c2UOBSX.exe, 00000000.00000003.2281790488.0000000009FDC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\vdr1\Release\vdr1.pdb source: hX2c2UOBSX.exe, 00000000.00000002.2335076897.0000000009F00000.00000004.00001000.00020000.00000000.sdmp, hX2c2UOBSX.exe, 00000000.00000002.2334915170.0000000009E2A000.00000004.00001000.00020000.00000000.sdmp, hX2c2UOBSX.exe, 00000000.00000003.2282462028.0000000009EFA000.00000004.00001000.00020000.00000000.sdmp, hX2c2UOBSX.exe, 00000000.00000003.2266906038.000000000A0EA000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000003.00000002.3077471735.0000000000449000.00000002.00000400.00020000.00000000.sdmp

Source: hX2c2UOBSX.exe

Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\hX2c2UOBSX.exe

Code function: 0_3_09C30E90 push cs; ret

0_3_09C30E9A

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

File created: C:\ProgramData\wt000\ymymyu

Jump to dropped file

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

File created: C:\ProgramData\wt000\ymymyu

Jump to dropped file

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

File created: C:\ProgramData\wt000\ymymyu

Jump to dropped file

Boot Survival

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\hX2c2UOBSX.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hX2c2UOBSX.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Dropped PE file which has not been started: C:\ProgramData\wt000\ymymyu

Jump to dropped file

Source: C:\Windows\SysWOW64\timeout.exe TID: 360

Thread sleep count: 87 > 30

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00437891 FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,	3_2_00437891
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_0043A69C FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,	3_2_0043A69C
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00438776 FindFirstFileA,FindNextFileA,	3_2_00438776
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_004313DA FindFirstFileA,	3_2_004313DA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00441187 FindFirstFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,	3_2_00441187
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Code function: 3_2_00436784 FindFirstFileA,CopyFileA,CopyFileA,DeleteFileA,FindNextFileA,	3_2_00436784

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_00441722 GetLogicalDriveStringsA,GetDriveTypeA,

3_2_00441722

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_0043DF8C GetSystemInfo,

3_2_0043DF8C

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: Web Data.10.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Web Data.10.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: Web Data.10.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Web Data.10.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Web Data.10.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: Web Data.10.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.00000000027B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msedge.exe, 00000009.00000003.2564320593.0000066800384000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware20,1(
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.0000000002758000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: Web Data.10.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Web Data.10.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Web Data.10.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Web Data.10.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Web Data.10.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Web Data.10.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Web Data.10.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Web Data.10.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Web Data.10.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: hX2c2UOBSX.exe, 00000000.00000002.2332935533.0000000001057000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: msedge.exe, 00000009.00000002.2573491322.0000022337044000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Web Data.10.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Web Data.10.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Web Data.10.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Web Data.10.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Web Data.10.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Web Data.10.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Web Data.10.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Web Data.10.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Web Data.10.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Web Data.10.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Web Data.10.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Web Data.10.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Web Data.10.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Web Data.10.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Web Data.10.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Web Data.10.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\hX2c2UOBSX.exe

Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 430000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\hX2c2UOBSX.exe

Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 430000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\hX2c2UOBSX.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 20B008	Jump to behavior
Source: C:\Users\user\Desktop\hX2c2UOBSX.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\hX2c2UOBSX.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 431000	Jump to behavior
Source: C:\Users\user\Desktop\hX2c2UOBSX.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 449000	Jump to behavior
Source: C:\Users\user\Desktop\hX2c2UOBSX.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 44D000	Jump to behavior
Source: C:\Users\user\Desktop\hX2c2UOBSX.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 44F000	Jump to behavior
Source: C:\Users\user\Desktop\hX2c2UOBSX.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 450000	Jump to behavior
Source: C:\Users\user\Desktop\hX2c2UOBSX.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 451000	Jump to behavior

Source: C:\Users\user\Desktop\hX2c2UOBSX.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" & rd /s /q "C:\ProgramData\wt000" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: GetLocaleInfoA,

3_2_0043DE1C

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\hX2c2UOBSX.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hX2c2UOBSX.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_00444CDB GetComputerNameW,GetUserNameW,GetFileType,

3_2_00444CDB

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Code function: 3_2_0043DDBF GetTimeZoneInformation,

3_2_0043DDBF

Source: C:\Users\user\Desktop\hX2c2UOBSX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0.3.hX2c2UOBSX.exe.9f00000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.BitLockerToGo.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hX2c2UOBSX.exe.a0fa000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hX2c2UOBSX.exe.9f00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2335076897.0000000009F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2335096406.000000000A0FA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2282462028.0000000009F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2380240783.00000000027C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2266906038.000000000A0EA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2393340952.00000000027C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hX2c2UOBSX.exe PID: 6720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 3524, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: BitLockerToGo.exe, 00000003.00000002.3077196517.00000000001E4000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: electrum.*
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.0000000002810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.0000000002810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.0000000002810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.0000000002810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.0000000002810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.00000000027B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.00000000027B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.00000000027B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.00000000027B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.0000000002797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: BitLockerToGo.exe, 00000003.00000002.3077196517.00000000001E4000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: ethereum.*
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.00000000027B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.0000000002810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.0000000002810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: multidoge.wallet
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.00000000027B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.00000000027B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: BitLockerToGo.exe, 00000003.00000002.3078403678.0000000002810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\temporary\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\to-be-removed\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\db\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\security_state\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\minidumps\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\default\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\tmp\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\key4.db	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match	File source: 00000003.00000002.3078403678.00000000027B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 3524, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0.3.hX2c2UOBSX.exe.9f00000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.BitLockerToGo.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hX2c2UOBSX.exe.a0fa000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.hX2c2UOBSX.exe.9f00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2335076897.0000000009F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2335096406.000000000A0FA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2282462028.0000000009F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2380240783.00000000027C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2266906038.000000000A0EA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2393340952.00000000027C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hX2c2UOBSX.exe PID: 6720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 3524, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Obfuscated Files or Information	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Create Account	1 Extra Window Memory Injection	1 DLL Side-Loading	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	311 Process Injection	1 Extra Window Memory Injection	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	11 Masquerading	NTDS	34 System Information Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Virtualization/Sandbox Evasion	LSA Secrets	1 Query Registry	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	311 Process Injection	Cached Domain Credentials	1 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hX2c2UOBSX.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
hX2c2UOBSX.exe